anchore-k8s-inventory.yaml

# same as -q ; suppress all output (except for the inventory results)
quiet: false

log:
  # use structured logging
  structured: false

  # the log level; note: detailed logging suppress the ETUI
  level: "debug"

  # location to write the log file (default is not to have a log file)
  file: "./anchore-k8s-inventory.log"

# enable/disable checking for application updates on startup
check-for-app-update: true

anchore-registration:
  # The id to register the agent as with Enterprise, so Enterprise can map the agent to its integration uuid.
  # If left unspecified, the agent will attempt to set registration-id to the uid of the K8s Deployment for the agent.
  # If that fails (e.g., if the agent is not deployed on K8s), the agent will generate a UUID to use as registration-id.
  registration-id:
  # The name that the agent should have. If left unspecified, the agent will attempt to set it to the name of the K8s
  # Deployment for the agent. If that fails it will be empty.
  integration-name:
  # A short description for the agent
  integration-description:

kubeconfig:
  path:
  cluster: docker-desktop
  cluster-cert:
  server:  # ex. https://kubernetes.docker.internal:6443
  user:
    type:  # valid: [private_key, token]
    client-cert:
    private-key:
    token:

# Which namespaces to search or exclude.
namespace-selectors:
  # Namespaces to include as explicit strings, not regex
  # NOTE: Will search ALL namespaces if left as an empty array
  include: []

  # List of namespaces to exclude, can use explicit strings and/or regexes.
  # For example
  #
  # list:
  # - default
  # - ^kube-*
  #
  # Will exclude the default, kube-system, and kube-public namespaces
  exclude: []

  ignore-empty: false

account-routes:
   # <Anchore Account Name>: # (this is the name of the anchore account e.g. admin)
   #   user: <username> <OPTIONAL>
   #   password: <password> <OPTIONAL>
   #   namespaces: # Can be a list of explicit namespaces matches or regex patterns
   #     - <namespace>
   #     - <regex pattern>
   #
   # Example
   # admin:
   #   user: username
   #   password: password
   #   namespaces:
   #     - default
   #     - ^kube-*

# Route namespaces to anchore accounts by a label on the namespace
account-route-by-namespace-label:
  # The name of the namespace label that will be used to route the contents of
  # that namespace to the Anchore account matching the value of the label
  key:  # e.g anchore.io/account.name
  # The name of the account to route inventory to for a namespace that is
  # missing the label or if the anchore account is not found.
  # If not set then it will default to the account specified in the anchore credentials
  default-account:  # e.g. admin
  # If true will exclude inventorying namespaces that are missing the specified label
  ignore-namespace-missing-label: false

# Kubernetes API configuration parameters (should not need tuning)
kubernetes:
  # Sets the request timeout for kubernetes API requests
  request-timeout-seconds: 60

  # Sets the number of objects to iteratively return when listing resources
  request-batch-size: 100

  # Worker pool size for collecting pods from namespaces. Adjust this if the api-server gets overwhelmed
  worker-pool-size: 100

# Can be one of adhoc, periodic (defaults to adhoc)
mode: adhoc

# If no registry information can be found by a `pod describe` you can use this
# field to override the registry for images where no registry is found. This
# can happen when the cluster is configured to use a specific private repo.
# However, kubernetes does not represent this in the pod describe output other
# than as the default 'docker.io' registry in the Image ID and a blank registry
# in the Image field. This should be set to match the private registry
# configuration of the cluster.
missing-registry-override:  # ex. myregistry.io

# Handle cases where a tag is missing. For example - images designated by digest
missing-tag-policy:
  # One of the following options [digest, insert, drop]. Default is 'digest'
  #
  # [digest] will use the image's digest as a dummy tag.
  #
  # [insert] will insert a default tag in as a dummy tag. The dummy tag is
  #          customizable under missing-tag-policy.tag
  #
  # [drop] will drop images that do not have tags associated with them. Not
  #        recommended.
  policy: digest

  # Dummy tag to use. Only applicable if policy is 'insert'. Defaults to UNKNOWN
  tag: UNKNOWN


# Ignore images out of pods that are not in a Running state
ignore-not-running: true

# Only respected if mode is periodic
polling-interval-seconds: 300

# Only respected if mode is periodic
health-report-interval-seconds: 60

# Batch Request configuration
inventory-report-limits:
  namespaces: 0 # default of 0 means no limit per report

# Metadata configuration
metadata-collection:
  nodes:
    include-annotations: [] # List of annotations to include (explicit or regex)
    include-labels: [] # List of labels to include (explicit or regex)
    disable: false # Remove all optional node metadata from the inventory report
  namespaces:
    include-annotations: [] # List of annotations to include (explicit or regex)
    include-labels: [] # List of labels to include (explicit or regex)
    disable: false # Remove all optional namespace metadata from the inventory report
  pods:
    include-annotations: [] # List of annotations to include (explicit or regex)
    include-labels: [] # List of labels to include (explicit or regex)
    disable: false # Remove all optional pod metadata from the inventory report

# Anchore API Configuration
anchore:
  # url: $ANCHORE_K8S_INVENTORY_ANCHORE_URL
  # user: $ANCHORE_K8S_INVENTORY_ANCHORE_USER
  password: $ANCHORE_K8S_INVENTORY_ANCHORE_PASSWORD
  # account: admin
#  http:
#    insecure: true
#    timeout-seconds: 10