Available in:  EE

The module lifecycle stageExperimental
The module has requirements for installation

How to explicitly enable the module…

You may explicitly enable or disable the module in one of the following ways:

  • Via Deckhouse web UI. In the “System” → “System Management” → “Deckhouse” → “Modules” section, open the security-events-manager module and enable (or disable) the “Module enabled” toggle. Save changes.

    Example:

    Module enable/disable interface
  • Via Deckhouse CLI (d8).

    Use the d8 system module enable command for enabling, or d8 system module disable command for disabling the module (you need Deckhouse CLI (d8), configured to work with the cluster).

    Example of enabling the module:

    d8 system module enable security-events-manager
  • Using ModuleConfig security-events-manager.

    Set spec.enabled to true or false in ModuleConfig security-events-manager (create it if necessary);

    Example of a manifest to enable module security-events-manager:

    apiVersion: deckhouse.io/v1alpha1
    kind: ModuleConfig
    metadata:
      name: security-events-manager
    spec:
      enabled: true

How to configure the module…

You can configure the module in one of the following ways:

  • Via Deckhouse web UI.

    In the “System” → “System Management” → “Deckhouse” → “Modules” section, open the security-events-manager module and enable the “Advanced Settings” switch. Fill in the required fields in the “Configuration” tab or specify the module settings in YAML format on the “YAML” tab, excluding the settings section. Save the changes.

    Example:

    Module Setup Interface

    You can also edit the ModuleConfig object security-events-manager on the “YAML” tab in the module settings window (“System” → “System Management” → “Deckhouse” → “Modules”, open the module security-events-manager) by specifying the schema version in the spec.version parameter and the necessary module parameters in the spec.settings section.

  • Via Deckhouse CLI (d8) (requires Deckhouse CLI (d8) configured to work with the cluster).

    Edit the existing ModuleConfig security-events-manager (for more details on configuring Deckhouse, see the documentation) by executing the following command:

    d8 k edit mc security-events-manager

    Make the necessary changes in the spec.settings section. If necessary, specify the schema version in the spec.version parameter. Save the changes.

    You can also create a file with manifest for ModuleConfig security-events-manager using the example below. Fill in the spec.settings section with the required module parameters. If necessary, specify the schema version in the spec.version parameter.

    Apply the manifest using the following command (indicate the manifest file name):

    d8 k apply -f <FILENAME>

    Example of a manifest for ModuleConfig security-events-manager:

    apiVersion: deckhouse.io/v1alpha1
    kind: ModuleConfig
    metadata:
      name: security-events-manager
    spec:
      version: 1
      enabled: true
      settings: # Module parameters from the "Parameters" section below.

How to change the module release channel…

To change the module release channel, follow the instruction.

Requirements

To the Deckhouse version: 1.74 and above.

To the versions of other modules:

  • log-shipper: any version.
  • loki: any version.

Parameters

Schema version: 1

  • settings
    object
    • settings.clusterSecurityEventDestination
      object
      Configs for ClusterSecurityEventDestination objects
      • settings.clusterSecurityEventDestination.clusterLoki
        boolean
        Whether to generate ClusterSecurityEventDestination for cluster Loki.

        Default: true

    • settings.controller
      object
      Security events controller settings.
      • settings.controller.replicas
        integer
        Number of controller replicas.

        Default: 1

      • settings.controller.resourcesRequests
        object
        Resource request management for controller. When vertical-pod-autoscaler is disabled, static or VPA min values are used as requests.
        • settings.controller.resourcesRequests.mode
          string

          Default: VPA

          Allowed values: VPA, Static

        • settings.controller.resourcesRequests.static
          object

          Default: {}

          • settings.controller.resourcesRequests.static.cpu

            Default: 10m

          • settings.controller.resourcesRequests.static.memory

            Default: 64Mi

        • settings.controller.resourcesRequests.vpa
          object

          Default: {}

          • settings.controller.resourcesRequests.vpa.cpu
            object

            Default: {}

            • settings.controller.resourcesRequests.vpa.cpu.max

              Default: 100m

            • settings.controller.resourcesRequests.vpa.cpu.min

              Default: 10m

          • settings.controller.resourcesRequests.vpa.memory
            object

            Default: {}

            • settings.controller.resourcesRequests.vpa.memory.max

              Default: 256Mi

            • settings.controller.resourcesRequests.vpa.memory.min

              Default: 64Mi

          • settings.controller.resourcesRequests.vpa.mode
            string

            Default: Initial

            Allowed values: Initial, Auto

    • settings.gateway
      object
      Security events gateway settings.
      • settings.gateway.nodeSelector
        object
        Node selector for gateway Deployment.
      • settings.gateway.replicas
        integer
        Number of gateway replicas.

        Default: 2

      • settings.gateway.resources
        object
        Resource requests/limits for gateway pods.
        • settings.gateway.resources.limits
          object
          • settings.gateway.resources.limits.cpu
            string
          • settings.gateway.resources.limits.memory
            string
        • settings.gateway.resources.requests
          object
          • settings.gateway.resources.requests.cpu
            string

            Default: 100m

          • settings.gateway.resources.requests.memory
            string

            Default: 128Mi

      • settings.gateway.resourcesRequests
        object
        Resource request management for gateway (vector container). When vertical-pod-autoscaler is disabled, static or VPA min values are used as requests.
        • settings.gateway.resourcesRequests.mode
          string

          Default: VPA

          Allowed values: VPA, Static

        • settings.gateway.resourcesRequests.static
          object

          Default: {}

          • settings.gateway.resourcesRequests.static.cpu

            Default: 100m

          • settings.gateway.resourcesRequests.static.memory

            Default: 128Mi

        • settings.gateway.resourcesRequests.vpa
          object

          Default: {}

          • settings.gateway.resourcesRequests.vpa.cpu
            object

            Default: {}

            • settings.gateway.resourcesRequests.vpa.cpu.max

              Default: 3000m

            • settings.gateway.resourcesRequests.vpa.cpu.min

              Default: 100m

          • settings.gateway.resourcesRequests.vpa.memory
            object

            Default: {}

            • settings.gateway.resourcesRequests.vpa.memory.max

              Default: 4096Mi

            • settings.gateway.resourcesRequests.vpa.memory.min

              Default: 128Mi

          • settings.gateway.resourcesRequests.vpa.mode
            string

            Default: Initial

            Allowed values: Initial, Auto

      • settings.gateway.tolerations
        array of objects
        Tolerations for gateway pods.
    • settings.securityEventConfig
      object
      Default configuration of security alert sources and destination (default resource ClusterSecurityEventConfig). Can be overridden per CR ClusterSecurityEventShipper.

      Default: { "destinations": [ "cluster-loki" ], "enabled": true, "sourcesMasks": [ "podSecurityEventShipper/*", "clusterSecurityEventShipper/*" ] }

      • settings.securityEventConfig.destinations
        array of strings
        List of ClusterSecurityEventDestination names.

        Default: [ "cluster-loki" ]

      • settings.securityEventConfig.enabled
        boolean
        Generate default ClusterSecurityEventConfig.

        Default: true

      • settings.securityEventConfig.minimumSeverityThreshold
        string
        Minimal severity to ship (inclusive).

        Default: Medium

        Allowed values: Low, Medium, High, Critical

      • settings.securityEventConfig.sources
        array of strings
        List of enabled source identifiers (used when sourcesMasks is not set).
      • settings.securityEventConfig.sourcesMasks
        array of strings
        List of glob-style masks for enabled sources (e.g. “*” for all). Mutually exclusive with sources. When set, ClusterSecurityEventConfig uses enabledSourcesMasks.