Wallarm-Specific Values of the Wallarm eBPF Helm Chart¶
This document provides information about Wallarm-specific Helm chart values that can be modified during the deployment or upgrade of the eBPF solution. These values control the global configuration of the Wallarm eBPF Helm chart.
The Wallarm-specific part of the default values.yaml
that you may need to change looks like the following:
config:
api:
token: ""
host: api.wallarm.com
port: 443
useSSL: true
mutualTLS: false
agent:
mirror:
allNamespaces: false
filters: []
# - namespace: "default"
# - namespace: 'my-namespace'
# pod_labels:
# label_name1: 'label_value_1'
# label_name2: 'label_value_2,label_value_3'
# pod_annotations:
# annotation_name1: 'annotation_value_1'
# annotation_name2: 'annotation_value_2,annotation_value_4'
loadBalancerRealIPHeader: 'X-Real-IP'
loadBalancerTrustedCIDRs: []
# - 10.0.0.0/8
# - 192.168.0.0/16
# - 172.16.0.0/12
# - 127.0.0.0/8
# - fd00::/8
...
processing:
...
metrics:
enabled: false
...
affinity: {}
# podAntiAffinity:
# preferredDuringSchedulingIgnoredDuringExecution:
# - weight: 100
# podAffinityTerm:
# labelSelector:
# matchExpressions:
# - key: component
# operator: In
# values:
# - mtls-router
# - key: app
# operator: In
# values:
# - mtls-router
# topologyKey: kubernetes.io/hostname
nodeSelector:
kubernetes.io/os: linux
config.api.token¶
The Wallarm node token created in Wallarm Console in the US or EU Cloud. It is required to access Wallarm API.
config.api.host¶
Wallarm API endpoint. Can be:
config.api.port¶
Wallarm API endpoint port. By default, 443
.
config.api.useSSL¶
Specifies whether to use SSL to access the Wallarm API. By default, true
.
config.mutualTLS¶
Enables mTLS support, allowing the Wallarm processing node to authenticate the security of traffic from the eBPF agent. By default, false
(disabled).
The parameter is supported starting from the Helm chart version 0.10.26.
config.agent.mirror.allNamespaces¶
Enables traffic mirroring for all namespaces. The default value is false
.
Not recommended to set to true
Enabling this by setting it to true
can cause data duplication and increased resource usage. Prefer selective mirroring using namespace labels, pod annotations, or config.agent.mirror.filters
in values.yaml
.
config.agent.mirror.filters¶
Controls the level of traffic mirroring. Here is an example of the filters
parameter:
...
agent:
mirror:
allNamespaces: false
filters:
- namespace: "default"
- namespace: 'my-namespace'
pod_labels:
label_name1: 'label_value_1'
label_name2: 'label_value_2,label_value_3'
pod_annotations:
annotation_name1: 'annotation_value_1'
annotation_name2: 'annotation_value_2,annotation_value_4'
config.agent.loadBalancerRealIPHeader¶
Specifies the header name used by a load balancer to convey the original client IP address. Refer to your load balancer's documentation to identify the correct header name. By default, X-Real-IP
.
The loadBalancerRealIPHeader
and loadBalancerTrustedCIDRs
parameters enable Wallarm eBPF to accurately determine the source IP when traffic is routed through an L7 load balancer (e.g., AWS ALB) external to the Kubernetes cluster.
config.agent.loadBalancerTrustedCIDRs¶
Defines a whitelist of CIDR ranges for trusted L7 load balancers. Example:
To update these values using Helm:
# To add a single item to the list:
helm upgrade <RELEASE_NAME> <CHART> --set 'config.agent.loadBalancerTrustedCIDRs[0]=10.10.0.0/24'
# To add multiple items to the list:
helm upgrade <RELEASE_NAME> <CHART> --set 'config.agent.loadBalancerTrustedCIDRs[0]=10.10.0.0/24,config.agent.loadBalancerTrustedCIDRs[1]=192.168.0.0/16'
processing.metrics¶
Controls the configuration of the Wallarm node metrics service. By default, the service is disabled.
If you enable the service, it is recommended to retain the default values for port
, path
, and scrapeInterval
:
processing.affinity and processing.nodeSelector¶
Controls the Kubernetes nodes on which the Wallarm eBPF daemonSet is deployed. By default, it is deployed on each node.
Applying changes¶
If you modify the values.yaml
file and want to upgrade your deployed chart, use the following command: