Starboard Settings

The Starboard CLI and Starboard Operator both read their configuration settings from a ConfigMap, as well as a secret that holds confidential settings (such as a GitHub token).

The starboard init command creates the starboard ConfigMap and the starboard secret in the starboard namespace with default settings.

Similarly, the operator ensures the starboard ConfigMap and the starboard secret in the OPERATOR_NAMESPACE.

You can change the default settings with kubectl patch or kubectl edit commands.

For example, by default Trivy displays vulnerabilities with all severity levels (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL). However, you can opt in to display only HIGH and CRITICAL vulnerabilities by patching the trivy.severity value in the starboard ConfigMap:

kubectl patch cm starboard -n <starboard_operator> \
  --type merge \
  -p "$(cat <<EOF
{
  "data": {
    "trivy.severity": "HIGH,CRITICAL"
  }
}
EOF
)"

To set the GitHub token used by Trivy in Standalone mode add the trivy.githubToken value to the starboard secret instead:

GITHUB_TOKEN=<your token>

kubectl patch secret starboard -n <starboard_operator> \
  --type merge \
  -p "$(cat <<EOF
{
  "data": {
    "trivy.githubToken": "$(echo -n $GITHUB_TOKEN | base64)"
  }
}
EOF
)"

The following tables list available configuration settings with their default values.

Tip

You only need to configure the settings for the scanner you are using (i.e. trivy.* parameters are used if vulnerabilityReports.scanner is set to Trivy). Check integrations page to see example configuration settings for common use cases.

CONFIGMAP KEY DEFAULT DESCRIPTION
vulnerabilityReports.scanner Trivy The name of the scanner that generates vulnerability reports. Either Trivy or Aqua.
trivy.httpProxy N/A The HTTP proxy used by Trivy to download the vulnerabilities database from GitHub. Only applicable in Standalone mode.
trivy.severity UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL A comma separated list of severity levels reported by Trivy
trivy.imageRef docker.io/aquasec/trivy:0.14.0 Trivy image reference
trivy.mode Standalone Trivy client mode. Either Standalone or ClientServer. Depending on the active mode other settings might be applicable or required.
trivy.serverURL N/A The endpoint URL of the Trivy server. Required in ClientServer mode.
trivy.serverTokenHeader Trivy-Token The name of the HTTP header to send the authentication token to Trivy server. Only application in ClientServer mode when trivy.serverToken is specified.
aqua.imageRef docker.io/aquasec/scanner:5.3 Aqua scanner image reference. The tag determines the version of the scanner binary executable and it must be compatible with version of Aqua console.
aqua.serverURL N/A The endpoint URL of Aqua management console
kube-bench.imageRef docker.io/aquasec/kube-bench:0.4.0 kube-bench image reference
kube-hunter.imageRef docker.io/aquasec/kube-hunter:0.4.0 kube-hunter image reference
kube-hunter.quick "false" Whether to use kube-hunter's "quick" scanning mode (subnet 24). Set to "true" to enable.
polaris.imageRef quay.io/fairwinds/polaris:3.0 Polaris image reference
polaris.config.yaml Check the default value here Polaris configuration file
SECRET KEY DESCRIPTION
trivy.githubToken The GitHub access token used by Trivy to download the vulnerabilities database from GitHub. Only applicable in Standalone mode.
trivy.serverToken The token to authenticate Trivy client with Trivy server. Only applicable in ClientServer mode.
trivy.serverCustomHeaders A comma-separated list of custom HTTP headers sent by Trivy client to Trivy server. Only applicable in ClientServer mode.
aqua.username Aqua management console username
aqua.password Aqua management console password

Tip

You can find it handy to delete a configuration key, which was not created by default by the starboard init command. For example, the following kubectl patch command deletes the trivy.httpProxy key:

kubectl patch cm starboard -n <starboard_operator> \
  --type json \
  -p '[{"op": "remove", "path": "/data/trivy.httpProxy"}]'