Skip to content

Latest commit

 

History

History

operator

README.md

title category type state appVersion usecase
secreCodeBox Operator
core
Operator
released
secureCodeBox Operator is the core component.

operator logo

License Apache-2.0 GitHub release (latest SemVer) OWASP Lab Project Artifact HUB GitHub Repo stars Mastodon Follower

What is secureCodeBox Operator?

The secureCodeBox operator is running on Kubernetes and is the core component of the complete secureCodeBox stack, responsible for managing all scans and resources.

Homepage: https://www.securecodebox.io/docs/getting-started/installation

Deployment

The operator chart can be deployed via helm:

# Install HelmChart (use -n to configure another namespace)
helm upgrade --install operator oci://ghcr.io/securecodebox/helm/operator

Requirements

Kubernetes: >=v1.11.0-0

Deployment

The secureCodeBox Operator can be deployed via helm:

# Add the secureCodeBox Helm Repo
helm repo add secureCodeBox https://charts.securecodebox.io
# Create a new namespace for the secureCodeBox Operator
kubectl create namespace securecodebox-system
# Install the Operator & CRDs
helm install securecodebox-operator oci://ghcr.io/securecodebox/helm/operator

Values

Key Type Default Description
allowIstioSidecarInjectionInJobs bool false Sets the value of the istio sidecar annotation ("sidecar.istio.io/inject") for jobs started by the operator (scans, parser and hooks). defaults to false to prevent jobs hanging indefinitely due to the sidecar never terminating. If you aren't using istio this setting/annotation has no effect.
customCACertificate object {"certificate":"public.crt","existingCertificate":null} Setup for Custom CA certificates. These are automatically mounted into every secureCodeBox component (lurker, parser & hooks). Requires that every namespace has a configmap with the CA certificate(s)
customCACertificate.certificate string "public.crt" key in the configmap holding the certificate(s)
customCACertificate.existingCertificate string nil name of the configMap holding the ca certificate(s), needs to be the same across all namespaces
extraVolumeMounts list [] Additional volume mounts to be mounted to the operator deployment
extraVolumes list [] Additional volumes to be mounted to the operator deployment
image.pullPolicy string "IfNotPresent" Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
image.repository string "docker.io/securecodebox/operator" The operator image repository
image.tag string defaults to the charts version Parser image tag
imagePullSecrets list [] Define imagePullSecrets when a private registry is used (see: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/)
lurker.image.pullPolicy string "IfNotPresent" Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
lurker.image.repository string "docker.io/securecodebox/lurker" The operator image repository
lurker.image.tag string defaults to the charts version Parser image tag
metrics object {"serviceMonitor":{"enabled":false}} Configuration for the metrics the operator exports
metrics.serviceMonitor.enabled bool false Creates a prometheus operator ServiceMonitor rule to automatically scrape the operators metrics: https://github.com/prometheus-operator/prometheus-operator
minio object {"auth":{"existingSecret":"","rootPassword":"","rootUser":"admin"},"defaultBuckets":"securecodebox","enabled":true,"image":{"pullPolicy":"IfNotPresent","repository":"docker.io/minio/minio","tag":"RELEASE.2025-07-23T15-54-02Z"},"persistence":{"size":"10Gi","storageClass":""},"podSecurityContext":{"fsGroup":1000,"runAsGroup":1000,"runAsUser":1000},"resources":{"limits":{"cpu":"500m","ephemeral-storage":"1Gi","memory":"512Mi"},"requests":{"cpu":"100m","memory":"256Mi"}},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}},"tls":{"enabled":false}} Minio configuration for direct deployment
minio.auth object {"existingSecret":"","rootPassword":"","rootUser":"admin"} Authentication configuration
minio.auth.existingSecret string "" Name of existing secret containing minio credentials (if set, auth.rootUser and auth.rootPassword are ignored)
minio.auth.rootPassword string "" Root password for minio (leave empty to generate a secure random password)
minio.auth.rootUser string "admin" Root user for minio
minio.defaultBuckets string "securecodebox" Default buckets to create on startup
minio.enabled bool true Enable this to use minio as storage backend instead of a cloud bucket provider like AWS S3, Google Cloud Storage, DigitalOcean Spaces etc.
minio.image object {"pullPolicy":"IfNotPresent","repository":"docker.io/minio/minio","tag":"RELEASE.2025-07-23T15-54-02Z"} Minio image configuration
minio.persistence object {"size":"10Gi","storageClass":""} Persistence configuration
minio.persistence.size string "10Gi" Size of the persistent volume
minio.persistence.storageClass string "" Storage class for minio data persistence
minio.podSecurityContext object {"fsGroup":1000,"runAsGroup":1000,"runAsUser":1000} Pod security context for minio
minio.resources object {"limits":{"cpu":"500m","ephemeral-storage":"1Gi","memory":"512Mi"},"requests":{"cpu":"100m","memory":"256Mi"}} Resource limits and requests for minio
minio.securityContext object {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}} Container security context for minio
minio.tls object {"enabled":false} TLS configuration (currently not implemented)
nodeSelector object {}
podSecurityContext object {} Sets the securityContext on the operators pod level. See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
presignedUrlExpirationTimes object {"hooks":"1h","parsers":"1h","scanners":"12h"} Duration how long presigned urls are valid
probes object {"liveness":{"httpGet":{"path":"/healthz","port":"healthchecks"},"initialDelaySeconds":15,"periodSeconds":20},"readiness":{"httpGet":{"path":"/readyz","port":"healthchecks"},"initialDelaySeconds":5,"periodSeconds":10}} Health and liveness probe configuration for the controller manager
probes.liveness object {"httpGet":{"path":"/healthz","port":"healthchecks"},"initialDelaySeconds":15,"periodSeconds":20} Liveness probe configuration
probes.readiness object {"httpGet":{"path":"/readyz","port":"healthchecks"},"initialDelaySeconds":5,"periodSeconds":10} Readiness probe configuration
resources object {"limits":{"cpu":"100m","memory":"30Mi"},"requests":{"cpu":"100m","memory":"20Mi"}} CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/)
s3.authType string "access-secret-key" Authentication method. Supports access-secret-key (used by most s3 endpoints) and `aws-iam`` (Used by AWS EKS IAM Role to Kubernetes Service Account Binding (IRSA) and EKS Pod Identity Authentication. Support for AWS IRSA is considered experimental in the secureCodeBox)
s3.awsStsEndpoint string "https://sts.amazonaws.com" STS Endpoint used in AWS IRSA Authentication. Change this to the sts endpoint of your aws region. Only used when s3.authType is set to "aws-iam". Usually not required, even in IRSA or Pod Identity setups as the region gets injected by AWS into the pod.
s3.bucket string "my-bucket"
s3.enabled bool false
s3.endpoint string "fra1.digitaloceanspaces.com"
s3.keySecret string "my-secret"
s3.port string nil
s3.secretAttributeNames.accesskey string "accesskey"
s3.secretAttributeNames.secretkey string "secretkey"
s3.tls.enabled bool true
s3.urlTemplate string scan-{{ .Scan.UID }}/{{ .Filename }} Go Template that generates the path used to store raw result file and findings.json file in the s3 bucket. Can be used to store the files in a subfolder of the s3 bucket
securityContext object {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}} Sets the securityContext on the operators container level. See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
securityContext.allowPrivilegeEscalation bool false Ensure that users privileges cannot be escalated
securityContext.capabilities.drop[0] string "ALL" This drops all linux privileges from the operator container. They are not required
securityContext.privileged bool false Ensures that the operator container is not run in privileged mode
securityContext.readOnlyRootFilesystem bool true Prevents write access to the containers file system
securityContext.runAsNonRoot bool true Enforces that the Operator image is run as a non root user
securityContext.seccompProfile.type string "RuntimeDefault" one of RuntimeDefault, Unconfined, Localhost To disable seccompProfile, set to Unconfined. See: https://kubernetes.io/docs/tutorials/security/seccomp/
serviceAccount.annotations object {} Annotations of the serviceAccount the operator uses to talk to the k8s api
serviceAccount.labels object {} Labels of the serviceAccount the operator uses to talk to the k8s api
serviceAccount.name string "securecodebox-operator" Name of the serviceAccount the operator uses to talk to the k8s api
telemetryEnabled bool true The Operator sends anonymous telemetry data, to give the team an overview how much the secureCodeBox is used. Find out more at https://www.securecodebox.io/telemetry

License

License

Code of secureCodeBox is licensed under the Apache License 2.0.