image: repository: rancher/hardened-node-feature-discovery # This should be set to 'IfNotPresent' for released version pullPolicy: IfNotPresent # tag, if defined will use the given image tag, else Chart.AppVersion will be used tag: v0.15.6-build20240822 imagePullSecrets: [] nameOverride: "" fullnameOverride: "" namespaceOverride: "" enableNodeFeatureApi: true master: enable: true config: ### # noPublish: false # autoDefaultNs: true # extraLabelNs: ["added.ns.io","added.kubernets.io"] # denyLabelNs: ["denied.ns.io","denied.kubernetes.io"] # resourceLabels: ["vendor-1.com/feature-1","vendor-2.io/feature-2"] # enableTaints: false # labelWhiteList: "foo" # resyncPeriod: "2h" # klog: # addDirHeader: false # alsologtostderr: false # logBacktraceAt: # logtostderr: true # skipHeaders: false # stderrthreshold: 2 # v: 0 # vmodule: ## NOTE: the following options are not dynamically run-time configurable ## and require a nfd-master restart to take effect after being changed # logDir: # logFile: # logFileMaxSize: 1800 # skipLogHeaders: false # leaderElection: # leaseDuration: 15s # # this value has to be lower than leaseDuration and greater than retryPeriod*1.2 # renewDeadline: 10s # # this value has to be greater than 0 # retryPeriod: 2s # nfdApiParallelism: 10 ### # The TCP port that nfd-master listens for incoming requests. Default: 8080 # Deprecated this parameter is related to the deprecated gRPC API and will # be removed with it in a future release port: 8080 metricsPort: 8081 instance: featureApi: resyncPeriod: denyLabelNs: [] extraLabelNs: [] resourceLabels: [] enableTaints: false crdController: null featureRulesController: null nfdApiParallelism: null deploymentAnnotations: {} replicaCount: 1 podSecurityContext: {} # fsGroup: 2000 securityContext: allowPrivilegeEscalation: false capabilities: drop: [ "ALL" ] readOnlyRootFilesystem: true runAsNonRoot: true # runAsUser: 1000 serviceAccount: # Specifies whether a service account should be created create: true # Annotations to add to the service account annotations: {} # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template name: rbac: create: true service: type: ClusterIP port: 8080 resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little # resources, such as Minikube. If you do want to specify resources, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'resources:'. # limits: # cpu: 100m # memory: 128Mi # requests: # cpu: 100m # memory: 128Mi nodeSelector: {} tolerations: - key: "node-role.kubernetes.io/master" operator: "Equal" value: "" effect: "NoSchedule" - key: "node-role.kubernetes.io/control-plane" operator: "Equal" value: "" effect: "NoSchedule" annotations: {} affinity: nodeAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 1 preference: matchExpressions: - key: "node-role.kubernetes.io/master" operator: In values: [""] - weight: 1 preference: matchExpressions: - key: "node-role.kubernetes.io/control-plane" operator: In values: [""] worker: enable: true config: ### #core: # labelWhiteList: # noPublish: false # sleepInterval: 60s # featureSources: [all] # labelSources: [all] # klog: # addDirHeader: false # alsologtostderr: false # logBacktraceAt: # logtostderr: true # skipHeaders: false # stderrthreshold: 2 # v: 0 # vmodule: ## NOTE: the following options are not dynamically run-time configurable ## and require a nfd-worker restart to take effect after being changed # logDir: # logFile: # logFileMaxSize: 1800 # skipLogHeaders: false #sources: # cpu: # cpuid: ## NOTE: whitelist has priority over blacklist # attributeBlacklist: # - "BMI1" # - "BMI2" # - "CLMUL" # - "CMOV" # - "CX16" # - "ERMS" # - "F16C" # - "HTT" # - "LZCNT" # - "MMX" # - "MMXEXT" # - "NX" # - "POPCNT" # - "RDRAND" # - "RDSEED" # - "RDTSCP" # - "SGX" # - "SSE" # - "SSE2" # - "SSE3" # - "SSE4" # - "SSE42" # - "SSSE3" # - "TDX_GUEST" # attributeWhitelist: # kernel: # kconfigFile: "/path/to/kconfig" # configOpts: # - "NO_HZ" # - "X86" # - "DMI" # pci: # deviceClassWhitelist: # - "0200" # - "03" # - "12" # deviceLabelFields: # - "class" # - "vendor" # - "device" # - "subsystem_vendor" # - "subsystem_device" # usb: # deviceClassWhitelist: # - "0e" # - "ef" # - "fe" # - "ff" # deviceLabelFields: # - "class" # - "vendor" # - "device" # local: # hooksEnabled: false # custom: # # The following feature demonstrates the capabilities of the matchFeatures # - name: "my custom rule" # labels: # "vendor.io/my-ng-feature": "true" # # matchFeatures implements a logical AND over all matcher terms in the # # list (i.e. all of the terms, or per-feature matchers, must match) # matchFeatures: # - feature: cpu.cpuid # matchExpressions: # AVX512F: {op: Exists} # - feature: cpu.cstate # matchExpressions: # enabled: {op: IsTrue} # - feature: cpu.pstate # matchExpressions: # no_turbo: {op: IsFalse} # scaling_governor: {op: In, value: ["performance"]} # - feature: cpu.rdt # matchExpressions: # RDTL3CA: {op: Exists} # - feature: cpu.sst # matchExpressions: # bf.enabled: {op: IsTrue} # - feature: cpu.topology # matchExpressions: # hardware_multithreading: {op: IsFalse} # # - feature: kernel.config # matchExpressions: # X86: {op: Exists} # LSM: {op: InRegexp, value: ["apparmor"]} # - feature: kernel.loadedmodule # matchExpressions: # e1000e: {op: Exists} # - feature: kernel.selinux # matchExpressions: # enabled: {op: IsFalse} # - feature: kernel.version # matchExpressions: # major: {op: In, value: ["5"]} # minor: {op: Gt, value: ["10"]} # # - feature: storage.block # matchExpressions: # rotational: {op: In, value: ["0"]} # dax: {op: In, value: ["0"]} # # - feature: network.device # matchExpressions: # operstate: {op: In, value: ["up"]} # speed: {op: Gt, value: ["100"]} # # - feature: memory.numa # matchExpressions: # node_count: {op: Gt, value: ["2"]} # - feature: memory.nv # matchExpressions: # devtype: {op: In, value: ["nd_dax"]} # mode: {op: In, value: ["memory"]} # # - feature: system.osrelease # matchExpressions: # ID: {op: In, value: ["fedora", "centos"]} # - feature: system.name # matchExpressions: # nodename: {op: InRegexp, value: ["^worker-X"]} # # - feature: local.label # matchExpressions: # custom-feature-knob: {op: Gt, value: ["100"]} # # # The following feature demonstrates the capabilities of the matchAny # - name: "my matchAny rule" # labels: # "vendor.io/my-ng-feature-2": "my-value" # # matchAny implements a logical IF over all elements (sub-matchers) in # # the list (i.e. at least one feature matcher must match) # matchAny: # - matchFeatures: # - feature: kernel.loadedmodule # matchExpressions: # driver-module-X: {op: Exists} # - feature: pci.device # matchExpressions: # vendor: {op: In, value: ["8086"]} # class: {op: In, value: ["0200"]} # - matchFeatures: # - feature: kernel.loadedmodule # matchExpressions: # driver-module-Y: {op: Exists} # - feature: usb.device # matchExpressions: # vendor: {op: In, value: ["8086"]} # class: {op: In, value: ["02"]} # # - name: "avx wildcard rule" # labels: # "my-avx-feature": "true" # matchFeatures: # - feature: cpu.cpuid # matchName: {op: InRegexp, value: ["^AVX512"]} # # # The following features demonstreate label templating capabilities # - name: "my template rule" # labelsTemplate: | # {{ range .system.osrelease }}vendor.io/my-system-feature.{{ .Name }}={{ .Value }} # {{ end }} # matchFeatures: # - feature: system.osrelease # matchExpressions: # ID: {op: InRegexp, value: ["^open.*"]} # VERSION_ID.major: {op: In, value: ["13", "15"]} # # - name: "my template rule 2" # labelsTemplate: | # {{ range .pci.device }}vendor.io/my-pci-device.{{ .class }}-{{ .device }}=with-cpuid # {{ end }} # matchFeatures: # - feature: pci.device # matchExpressions: # class: {op: InRegexp, value: ["^06"]} # vendor: ["8086"] # - feature: cpu.cpuid # matchExpressions: # AVX: {op: Exists} # # # The following examples demonstrate vars field and back-referencing # # previous labels and vars # - name: "my dummy kernel rule" # labels: # "vendor.io/my.kernel.feature": "true" # matchFeatures: # - feature: kernel.version # matchExpressions: # major: {op: Gt, value: ["2"]} # # - name: "my dummy rule with no labels" # vars: # "my.dummy.var": "1" # matchFeatures: # - feature: cpu.cpuid # matchExpressions: {} # # - name: "my rule using backrefs" # labels: # "vendor.io/my.backref.feature": "true" # matchFeatures: # - feature: rule.matched # matchExpressions: # vendor.io/my.kernel.feature: {op: IsTrue} # my.dummy.var: {op: Gt, value: ["0"]} # # - name: "kconfig template rule" # labelsTemplate: | # {{ range .kernel.config }}kconfig-{{ .Name }}={{ .Value }} # {{ end }} # matchFeatures: # - feature: kernel.config # matchName: {op: In, value: ["SWAP", "X86", "ARM"]} ### metricsPort: 8081 daemonsetAnnotations: {} podSecurityContext: {} # fsGroup: 2000 securityContext: allowPrivilegeEscalation: false capabilities: drop: [ "ALL" ] readOnlyRootFilesystem: true runAsNonRoot: true # runAsUser: 1000 serviceAccount: # Specifies whether a service account should be created. # We create this by default to make it easier for downstream users to apply PodSecurityPolicies. create: true # Annotations to add to the service account annotations: {} # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template name: rbac: create: true # Allow users to mount the hostPath /usr/src, useful for RHCOS on s390x # Does not work on systems without /usr/src AND a read-only /usr, such as Talos mountUsrSrc: false resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little # resources, such as Minikube. If you do want to specify resources, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'resources:'. # limits: # cpu: 100m # memory: 128Mi # requests: # cpu: 100m # memory: 128Mi nodeSelector: {} tolerations: [] annotations: {} affinity: {} priorityClassName: "" topologyUpdater: config: ### ## key = node name, value = list of resources to be excluded. ## use * to exclude from all nodes. ## an example for how the exclude list should looks like #excludeList: # node1: [cpu] # node2: [memory, example/deviceA] # *: [hugepages-2Mi] ### enable: false createCRDs: false serviceAccount: create: true annotations: {} name: rbac: create: true metricsPort: 8081 kubeletConfigPath: kubeletPodResourcesSockPath: updateInterval: 60s watchNamespace: "*" kubeletStateDir: /var/lib/kubelet podSecurityContext: {} securityContext: allowPrivilegeEscalation: false capabilities: drop: [ "ALL" ] readOnlyRootFilesystem: true runAsUser: 0 resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little # resources, such as Minikube. If you do want to specify resources, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'resources:'. # limits: # cpu: 100m # memory: 128Mi # requests: # cpu: 100m # memory: 128Mi nodeSelector: {} tolerations: [] annotations: {} daemonsetAnnotations: {} affinity: {} podSetFingerprint: true gc: enable: true replicaCount: 1 serviceAccount: create: true annotations: {} name: rbac: create: true interval: 1h podSecurityContext: {} resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little # resources, such as Minikube. If you do want to specify resources, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'resources:'. # limits: # cpu: 100m # memory: 128Mi # requests: # cpu: 100m # memory: 128Mi metricsPort: 8081 nodeSelector: {} tolerations: [] annotations: {} deploymentAnnotations: {} affinity: {} # Optionally use encryption for worker <--> master comms # TODO: verify hostname is not yet supported # # If you do not enable certManager (and have it installed) you will # need to manually, or otherwise, provision the TLS certs as secrets tls: enable: false certManager: false prometheus: enable: false labels: {}