Runecast Analyzer

This chart deploys Runecast Analyzer with nginx frontend proxy and PostgreSQL backend. For more information about Runecast Analyzer please visit the Runecast website.

Requirements
Installation and upgrade
- OS analysis
Values
- Examples
- List of values
Usage

Requirements

Kubernetes cluster
Helm 3 (Helm 2.2.0+ should work but is not validated)
2.6 CPU requests / 6.5 CPU limits
7.4 GB RAM requests / 14 GB RAM limits
61 GB persistent storage

Installation and upgrade

To install Runecast Analyzer with the default settings, follow these steps:

Add Runecast Helm repository to Helm repository list:

helm repo add runecast https://helm.runecast.com/charts

Install Runecast Analyzer

helm upgrade --install runecast-analyzer runecast/runecast-analyzer

OS analysis

OS analysis in Runecast Analyzer requires additional components to be installed. If we installed them by default, it would mean a waste of resources for those, that won’t use this feature.

Therefore, in K8s deployment, additional steps are needed besides the standard OS analysis configuration process. To deploy the application:

Prepare a hostname (FQDN or IP address) that will be used by the OS agents to reach the OS analysis service. The hostname should lead to the OS analysis service, which can be exposed on the nodes as a NodePort or as a LoadBalancer if external loadbalancer is used.
Deploy the application using a Helm chart with value global.osanalysis.enabled set to true and hostname specified in global.osanalysis.hostname.
To configure the OS analysis, continue in the application. Use the hostname from the previous step in the Runecast Address field.

Please see the Examples below for more information.

Values

To modify the deployment, please use values.yaml file with the required changes or set the individual values directly on the command line. The list of values can be found in the section List of values or displayed by running the following command:

helm show values runecast/runecast-analyzer

Examples

To find more information about changing deployment values, please see the Values Files section of the Helm User Guide.

Using ingress with SSL termination

The following example shows how to deploy the application and expose it via Nginx ingress with SSL termination.

Create the secret runecast-analyzer-ingress-tls from the key and the certificate:

kubectl create secret tls runecast-analyzer-ingress-tls --key </path/to/key_file> --cert </path/to/cert_file>

To create a self-signed certificate for testing, you can use the following command:

openssl req -x509 -nodes -newkey rsa:4096 -days 365 -keyout </path/to/key_file> -out </path/to/cert_file> -subj "/CN=localhost"

Create the my-values.yaml file with the following content:

nginx:
  ingress:
    enabled: true
    hosts:
      - host: rca.local.domain
        paths:
          - / 
    tls:
      - secretName: runecast-analyzer-ingress-tls
        hosts:
          - rca.local.domain

Install the application providing the custom my-values.yaml file:

helm upgrade --install runecast-analyzer runecast/runecast-analyzer -f my-values.yaml

Running without persistent data

By default, the application is installed with Persistent Volumes. If you would like to test the application without persisting data, you can simply disable the persistence storage by setting the respective values:

helm upgrade --install runecast-analyzer runecast/runecast-analyzer --set persistence.enabled=false --set postgresql.persistence.enabled=false --set imagescanning.persistence.enabled=false

Exposing the application via LoadBalancer service on secure port with custom certificate

Create the secret runecast-analyzer-certificate from the key and the certificate:

kubectl create secret tls runecast-analyzer-certificate --key </path/to/key_file> --cert </path/to/cert_file>

Install the application providing the custom values on the command line:

helm upgrade --install runecast-analyzer runecast/runecast-analyzer --set nginx.service.type="LoadBalancer" --set nginx.service.tls.enabled=true --set nginx.service.tls.existingSecretName="runecast-analyzer-certificate"

Installing with OS analysis enabled

Prepare a hostname that will point to the OS analysis service. The service can be exposed via NodePort on the nodes or via LoadBalancer if external loadbalancer is used. The default is service of type NodePort with the port set to 31443. To change it, please see the fleet.service values.

Deploy the application with OS analysis enabled:

helm upgrade --install runecast-analyzer runecast/runecast-analyzer --set global.osanalysis.enabled=true --set global.osanalysis.hostname="example.cluster.k8s"

List of values

Global values and Runecast

Value	Default	Description
`global.imageRepository`	`public.ecr.aws/runecast`	The repository to pull the images from, applicable to all subcharts.
`global.runecastAnalyzerServiceName`	`runecast-analyzer`	Runecast Analyzer app service name, that cannot be overriden by nameOverride and fullnameOverride values. The value is required to be used in the nginx subchart and because of Helm limitataion, global value is used.
`global.osanalysis.enabled`	`false`	Deploy the OS analysis components.
`global.osanalysis.hostname`		Specify a hostname that can be used to reach the K8s nodes where the OS analysis service is running.
`global.imagescanning.enabled`	`true`	Enable the image scanning/validation webhook functionality.
`global.proxy`	`""`	Set a proxy server to use for connections to ecosystems, knowledge definition updates and container image registries, in the form of ‘http://:’.
`image.repository`	`""`	The repository to pull the application and busybox images from, overrides the global value.
`image.tag`	`""`	The application image tag whose default is the chart appVersion.
`image.busyboxTag`	`"1.35.0"`	Sets the busybox image tag.
`imagePullPolicy`	`Always`	Kubelet image pull policy.
`imagePullSecrets`	`[]`	List of secrets to use when pullling the image.
`nameOverride`	`""`	Override the objects’ names, using release name as a prefix.
`fullnameOverride`	`""`	Override the whole objects’ names (release name not used as a prefix).
`serviceAccount.annotations`	`{}`	Annotations to add to the service account.
`serviceAccount.name`	`""`	The name of the service account to use. If not set and create is true, a name is generated using the name template.
`podAnnotations`	`{}`	Specifies whether to annotate the pod.
`service.type`	`ClusterIP`	Kubernetes service type.
`service.port`	`8080`	Kubernetes service port.
`resources.requests.cpu`	`"1"`	CPU requests.
`resources.requests.memory`	`2Gi`	Memory requests.
`resources.limits.cpu`	`"2"`	CPU limits.
`resources.limits.memory`	`3Gi`	Memory limits.
`persistence.enabled`	`true`	Specifies whether to enable the data persistence.
`persistence.annotations`	`{}`	Specifies the persistent volume objects’ annotations.
`persistence.size`	`10Gi`	The size of the persistent volume.
`persistence.storageClass`	`""`	Use a specific storage class. If not specified, the default is used.
`persistence.accessModes`	`[ReadWriteOnce]`	Specifies the storage access modes, storage provider dependant.
`nodeSelector`	`{}`	Allows to schedule the pod on specific nodes.
`affinity`	`{}`	Allows more control of scheduling the pod on specific nodes.
`tolerations`	`[]`	Another way of controlling where the pod will be scheduled.

Database backend (PostgreSQL)

Value	Default	Description
`postgresql.image.repository`	`""`	The repository to pull the PostgreSQL and busybox images from, overrides the global value.
`postgresql.image.tag`	`""`	Overrides the postgresql image tag whose default is the subchart appVersion.
`postgresql.image.busyboxTag`	`"1.35.0"`	Sets the busybox image tag.
`postgresql.imagePullPolicy`	`Always`	Kubelet image pull policy.
`postgresql.imagePullSecrets`	`[]`	List of secrets to use when pullling the image.
`postgresql.nameOverride`	`""`	Override the objects’ names, using release name as a prefix.
`postgresql.fullnameOverride`	`""`	Override the whole objects’ names (release name not used as a prefix).
`postgresql.serviceAccount.create`	`true`	Specifies whether a service account should be created (default namespace account used if set to false).
`postgresql.serviceAccount.annotations`	`{}`	Annotations to add to the service account.
`postgresql.serviceAccount.name`	`""`	The name of the service account to use. If not set and create is true, a name is generated using the fullname template.
`postgresql.podAnnotations`	`{}`	Specifies whether to annotate the pod.
`postgresql.service.type`	`ClusterIP`	Kubernetes service type.
`postgresql.service.port`	`5432`	Kubernetes service port.
`postgresql.resources.requests.cpu`	`100m`	CPU requests.
`postgresql.resources.requests.memory`	`150M`	Memory requests.
`postgresql.resources.limits.cpu`	`"1"`	CPU limits.
`postgresql.resources.limits.memory`	`500M`	Memory limits.
`postgresql.persistence.enabled`	`true`	Specifies whether to enable the data persistence.
`postgresql.persistence.annotations`	`{}`	Specifies the persistent volume objects’ annotations.
`postgresql.persistence.size`	`10G`	The size of the persistent volume.
`postgresql.persistence.storageClass`	`""`	Use a specific storage class. If not specified, the default is used.
`postgresql.persistence.accessModes`	`[ReadWriteOnce]`	Specifies the storage access modes, storage provider dependant.
`postgresql.nodeSelector`	`{}`	Allows to schedule the pod on specific nodes.
`postgresql.affinity`	`{}`	Allows more control of scheduling the pod on specific nodes.
`postgresql.tolerations`	`[]`	Another way of controlling where the pod will be scheduled.

Reverse proxy frontend (nginx)

Value	Default	Description
`nginx.image.repository`	`""`	The repository to pull the nginx image from, overrides the global value.
`nginx.image.tag`	`""`	Overrides the image tag whose default is the subchart appVersion
`nginx.imagePullPolicy`	`Always`	Kubelet image pull policy.
`nginx.imagePullSecrets`	`[]`	List of secrets to use when pullling the image.
`nginx.nameOverride`	`""`	Override the objects’ names, using release name as a prefix.
`nginx.fullnameOverride`	`""`	Override the whole objects’ names (release name not used as a prefix).
`nginx.serviceAccount.create`	`true`	Specifies whether a service account should be created (default namespace account used if set to false).
`nginx.serviceAccount.annotations`	`{}`	Annotations to add to the service account.
`nginx.serviceAccount.name`	`""`	The name of the service account to use. If not set and create is true, a name is generated using the fullname template.
`nginx.podAnnotations`	`{}`	Specifies whether to annotate the pod.
`nginx.service.type`	`ClusterIP`	Kubernetes service type.
`nginx.service.port`	`9080`	Kubernetes service port.
`nginx.service.tls.enabled`	`false`	Enables secure connection to the service.
`nginx.service.tls.existingSecretName`		The name of the existing secret where certificate and key are stored. If not defined, will be automatically generated.
`nginx.service.tls.ssl_protocols`	`TLSv1.3 TLSv1.2;`	Nginx SSL protocols setting.
`nginx.service.tls.ssl_ciphers`	`HIGH:!aNULL:!MD5:!SHA1:!SHA256:!SHA384;`	Nginx SSL ciphers setting.
`nginx.ingress.enabled`	`false`	Specifies whether to enable ingress for accessing the application.
`nginx.ingress.annotations`	`{}`	Specifies the ingress object annotations.
`nginx.ingress.hosts`	`[]`	Array of host and paths objects.
`nginx.ingress.hosts.host`	`""`	Host name string.
`nginx.ingress.hosts.paths`	`[]`	Array of paths to publish (typically ‘/’, pathType ‘Prefix’ is automatically set).
`nginx.ingress.tls`	`[]`	Specifies whether to use secure connection to the ingress.
`nginx.ingress.tls.secretName`	`""`	The name of the secret where certificate and key are stored.
`nginx.ingress.tls.hosts`	`[]`	List of hosts names.
`nginx.resources.requests.cpu`	`100m`	CPU requests.
`nginx.resources.requests.memory`	`100M`	Memory requests.
`nginx.resources.limits.cpu`	`500m`	CPU limits.
`nginx.resources.limits.memory`	`500M`	Memory limits.
`nginx.nodeSelector`	`{}`	Allows to schedule the pod on specific nodes.
`nginx.affinity`	`{}`	Allows more control of scheduling the pod on specific nodes.
`nginx.tolerations`	`[]`	Another way of controlling where the pod will be scheduled.

OS analysis

Value	Default	Description
`fleet.image.repository`	`""`	The repository to pull the fleet image from, overrides the global value.
`fleet.image.tag`	`""`	Overrides the image tag whose default is the subchart appVersion
`fleet.imagePullPolicy`	`Always`	Kubelet image pull policy.
`fleet.imagePullSecrets`	`[]`	List of secrets to use when pullling the image.
`fleet.nameOverride`	`""`	Override the objects’ names, using release name as a prefix.
`fleet.fullnameOverride`	`""`	Override the whole objects’ names (release name not used as a prefix).
`fleet.serviceAccount.create`	`true`	Specifies whether a service account should be created (default namespace account used if set to false).
`fleet.serviceAccount.annotations`	`{}`	Annotations to add to the service account.
`fleet.serviceAccount.name`	`""`	The name of the service account to use. If not set and create is true, a name is generated using the fullname template.
`fleet.podAnnotations`	`{}`	Specifies whether to annotate the pod.
`fleet.service.type`	`NodePort`	`NodePort` or `LoadBalancer`, to access the OS analysis service from outside of the cluster. Kubernetes service type docs.
`fleet.service.loadBalancerIP`		If `LoadBalancer` is used as a type, `loadBalancerIP` needs to be set and `global.osanalysis.hostname` should point to it.
`fleet.service.port`	`8443`	Kubernetes service port.
`fleet.service.nodePort`	`31443`	Kubernetes service port to access on nodes.
`fleet.resources.requests.cpu`	`100m`	CPU requests.
`fleet.resources.requests.memory`	`100M`	Memory requests.
`fleet.resources.limits.cpu`	`"1"`	CPU limits.
`fleet.resources.limits.memory`	`4G`	Memory limits.
`fleet.nodeSelector`	`{}`	Allows to schedule the pod on specific nodes.
`fleet.affinity`	`{}`	Allows more control of scheduling the pod on specific nodes.
`fleet.tolerations`	`[]`	Another way of controlling where the pod will be scheduled.
`fleet.mysql.image.repository`	`""`	The repository to pull the mysql and busybox images from, overrides the global value.
`fleet.mysql.image.tag`	`""`	Overrides the mysql image tag whose default is the subchart appVersion.
`fleet.mysql.image.busyboxTag`	`"1.35.0"`	Sets the busybox image tag.
`fleet.mysql.imagePullPolicy`	`Always`	Kubelet image pull policy.
`fleet.mysql.imagePullSecrets`	`[]`	List of secrets to use when pullling the image.
`fleet.mysql.nameOverride`	`""`	Override the objects’ names, using release name as a prefix.
`fleet.mysql.fullnameOverride`	`""`	Override the whole objects’ names (release name not used as a prefix).
`fleet.mysql.serviceAccount.create`	`true`	Specifies whether a service account should be created (default namespace account used if set to false).
`fleet.mysql.serviceAccount.annotations`	`{}`	Annotations to add to the service account.
`fleet.mysql.serviceAccount.name`	`""`	The name of the service account to use. If not set and create is true, a name is generated using the fullname template.
`fleet.mysql.podAnnotations`	`{}`	Specifies whether to annotate the pod.
`fleet.mysql.service.type`	`ClusterIP`	Kubernetes service type.
`fleet.mysql.service.port`	`3306`	Kubernetes service port.
`fleet.mysql.resources.requests.cpu`	`100m`	CPU requests.
`fleet.mysql.resources.requests.memory`	`256Mi`	Memory requests.
`fleet.mysql.resources.limits.cpu`	`500m`	CPU limits.
`fleet.mysql.resources.limits.memory`	`500M`	Memory limits.
`fleet.mysql.persistence.enabled`	`true`	Specifies whether to enable the data persistence.
`fleet.mysql.persistence.annotations`	`{}`	Specifies the persistent volume objects’ annotations.
`fleet.mysql.persistence.size`	`10G`	The size of the persistent volume.
`fleet.mysql.persistence.storageClass`	`""`	Use a specific storage class. If not specified, the default is used.
`fleet.mysql.persistence.accessModes`	`[ReadWriteOnce]`	Specifies the storage access modes, storage provider dependant.
`fleet.mysql.nodeSelector`	`{}`	Allows to schedule the pod on specific nodes.
`fleet.mysql.affinity`	`{}`	Allows more control of scheduling the pod on specific nodes.
`fleet.mysql.tolerations`	`[]`	Another way of controlling where the pod will be scheduled.
`fleet.redis.image.repository`	`""`	The repository to pull the redis image from, overrides the global value.
`fleet.redis.image.tag`	`""`	Overrides the image tag whose default is the subchart appVersion.
`fleet.redis.imagePullPolicy`	`Always`	Kubelet image pull policy.
`fleet.redis.imagePullSecrets`	`[]`	List of secrets to use when pullling the image.
`fleet.redis.nameOverride`	`""`	Override the objects’ names, using release name as a prefix.
`fleet.redis.fullnameOverride`	`""`	Override the whole objects’ names (release name not used as a prefix).
`fleet.redis.serviceAccount.create`	`true`	Specifies whether a service account should be created (default namespace account used if set to false).
`fleet.redis.serviceAccount.annotations`	`{}`	Annotations to add to the service account.
`fleet.redis.serviceAccount.name`	`""`	The name of the service account to use. If not set and create is true, a name is generated using the fullname template.
`fleet.redis.podAnnotations`	`{}`	Specifies whether to annotate the pod.
`fleet.redis.service.type`	`ClusterIP`	Kubernetes service type.
`fleet.redis.service.port`	`6379`	Kubernetes service port.
`fleet.redis.resources.requests.cpu`	`100m`	CPU requests.
`fleet.redis.resources.requests.memory`	`256Mi`	Memory requests.
`fleet.redis.resources.limits.cpu`	`500m`	CPU limits.
`fleet.redis.resources.limits.memory`	`500M`	Memory limits.
`fleet.redis.nodeSelector`	`{}`	Allows to schedule the pod on specific nodes.
`fleet.redis.affinity`	`{}`	Allows more control of scheduling the pod on specific nodes.
`fleet.redis.tolerations`	`[]`	Another way of controlling where the pod will be scheduled.

Image Scanning

Value	Default	Description
`imagescanning.image.repository`	`""`	The repository to pull the imagescanning image from, overrides the global value.
`imagescanning.image.tag`	`""`	Overrides the image tag whose default is the subchart appVersion
`imagescanning.imagePullPolicy`	`Always`	Kubelet image pull policy.
`imagescanning.imagePullSecrets`	`[]`	List of secrets to use when pullling the image.
`imagescanning.nameOverride`	`""`	Override the objects’ names, using release name as a prefix.
`imagescanning.fullnameOverride`	`""`	Override the whole objects’ names (release name not used as a prefix).
`imagescanning.serviceAccount.create`	`true`	Specifies whether a service account should be created (default namespace account used if set to false).
`imagescanning.serviceAccount.annotations`	`{}`	Annotations to add to the service account.
`imagescanning.serviceAccount.name`	`""`	The name of the service account to use. If not set and create is true, a name is generated using the fullname template.
`imagescanning.podAnnotations`	`{}`	Specifies whether to annotate the pod.
`imagescanning.resources.requests.cpu`	`100m`	CPU requests.
`imagescanning.resources.requests.memory`	`500M`	Memory requests.
`imagescanning.resources.limits.cpu`	`1`	CPU limits.
`imagescanning.resources.limits.memory`	`2Gi`	Memory limits.
`imagescanning.persistence.enabled`	`true`	Specifies whether to enable the data persistence (persists imagescanning cache through pod restarts).
`imagescanning.persistence.annotations`	`{}`	Specifies the persistent volume objects’ annotations.
`imagescanning.persistence.size`	`500M`	The size of the persistent volume.
`imagescanning.persistence.storageClass`	`""`	Use a specific storage class. If not specified, the default is used.
`imagescanning.persistence.accessModes`	`[ReadWriteOnce]`	Specifies the storage access modes, storage provider dependant.
`imagescanning.nodeSelector`	`{}`	Allows to schedule the pod on specific nodes.
`imagescanning.affinity`	`{}`	Allows more control of scheduling the pod on specific nodes.
`imagescanning.tolerations`	`[]`	Another way of controlling where the pod will be scheduled.

Usage

To find out how to configure and use the product, including the required permissions for scanning a Kubernetes cluster, please follow the official documentation available at https://docs.runecast.com/.