Configuration Parameters

Orchestrator

Environment VariableRequiredDefaultValuesDescription
VMCLARITY_ORCHESTRATOR_PROVIDERyesawsaws, azure, gcp, dockerProvider used for Asset discovery and scans.
VMCLARITY_ORCHESTRATOR_APISERVER_ADDRESSyesThe URL for the API Server used by the Orchestrator to interact with the API. Example: https://apiserver.example.com:8888/api
VMCLARITY_ORCHESTRATOR_HEALTHCHECK_ADDRESS:8082Bind address to used by the Orchestrator for healthz endpoint. Example: localhost:8082 which will make the health endpoints be available at localhost:8082/healthz/live and localhost:8082/healthz/ready.
VMCLARITY_ORCHESTRATOR_DISCOVERY_INTERVAL2mHow frequently the Discovery perform discovery of Assets.
VMCLARITY_ORCHESTRATOR_CONTROLLER_STARTUP_DELAY7sThe time interval to wait between cotroller startups. Do NOT change this parameter unless you know what you are doing.
VMCLARITY_ORCHESTRATOR_ASSETSCAN_WATCHER_POLL_PERIOD15sHow frequently poll the API for events related AssetScan objects.
VMCLARITY_ORCHESTRATOR_ASSETSCAN_WATCHER_RECONCILE_TIMEOUT5mTime period for reconciling a AssetScan event is allowed to run.
VMCLARITY_ORCHESTRATOR_ASSETSCAN_WATCHER_ABORT_TIMEOUT10mTime period to wait for the Scanner to gracefully stop on-going scan for AssetScan before setting the state of the AssetScan to Failed.
VMCLARITY_ORCHESTRATOR_ASSETSCAN_WATCHER_DELETE_POLICYAlwaysAlways, Never, OnSuccessWhether to delete resources (disk snapshot, container snapshot/images) or not based on the status of the AssetScan. Always means the AssetScan is deleted no matter if it failed or not. Never skip cleaning up the resources created for scanning. OnSuccess means that cleanup is happening only iun case the AssetScan was successful.
VMCLARITY_ORCHESTRATOR_ASSETSCAN_WATCHER_SCANNER_CONTAINER_IMAGEyesThe Scanner container image used for running scans.
VMCLARITY_ORCHESTRATOR_ASSETSCAN_WATCHER_SCANNER_FRESHCLAM_MIRROR
VMCLARITY_ORCHESTRATOR_ASSETSCAN_WATCHER_SCANNER_APISERVER_ADDRESSThe URL for the API Server used by the Scanner to interact with the API. Example: https://apiserver.example.com:8888/api
VMCLARITY_ORCHESTRATOR_ASSETSCAN_WATCHER_SCANNER_EXPLOITSDB_ADDRESSThe URL for the ExploitsDB Server used by the Scanner.
VMCLARITY_ORCHESTRATOR_ASSETSCAN_WATCHER_SCANNER_TRIVY_SERVER_ADDRESSThe URL for the Trivy Server used by the Scanner.
VMCLARITY_ORCHESTRATOR_ASSETSCAN_WATCHER_SCANNER_TRIVY_SERVER_TIMEOUT5m
VMCLARITY_ORCHESTRATOR_ASSETSCAN_WATCHER_SCANNER_GRYPE_SERVER_ADDRESSThe URL for the Grype Server used by the Scanner.
VMCLARITY_ORCHESTRATOR_ASSETSCAN_WATCHER_SCANNER_GRYPE_SERVER_TIMEOUT2m
VMCLARITY_ORCHESTRATOR_ASSETSCAN_WATCHER_SCANNER_YARA_RULE_SERVER_ADDRESSThe URL for the Yara Rule Server used by the Scanner.
VMCLARITY_ORCHESTRATOR_SCANCONFIG_WATCHER_POLL_PERIODHow frequently the ScanConfig Watcher poll the API for events related ScanConfig objects.
VMCLARITY_ORCHESTRATOR_SCANCONFIG_WATCHER_RECONCILE_TIMEOUTTime period which a reconciliation for a ScanConfig event is allowed to run.
VMCLARITY_ORCHESTRATOR_SCAN_WATCHER_POLL_PERIODHow frequently the AssetScan Watcher poll the API for events related Scan objects.
VMCLARITY_ORCHESTRATOR_SCAN_WATCHER_RECONCILE_TIMEOUTTime period for reconciling a Scan event is allowed to run.
VMCLARITY_ORCHESTRATOR_SCAN_WATCHER_SCAN_TIMEOUTTime period to wait for the Scan finish before marked it’s state as Failed with Timeout as a reason.
VMCLARITY_ORCHESTRATOR_ASSETSCAN_PROCESSOR_POLL_PERIODHow frequently the AssetScan Processor poll the API for events related AssetScan objects.
VMCLARITY_ORCHESTRATOR_ASSETSCAN_PROCESSOR_RECONCILE_TIMEOUTTime period for processing for a AssetScan result is allowed to run.
VMCLARITY_ORCHESTRATOR_ASSETSCAN_ESTIMATION_WATCHER_POLL_PERIOD5s
VMCLARITY_ORCHESTRATOR_ASSETSCAN_ESTIMATION_WATCHER_RECONCILE_TIMEOUT15s
VMCLARITY_ORCHESTRATOR_SCAN_ESTIMATION_WATCHER_POLL_PERIOD5s
VMCLARITY_ORCHESTRATOR_SCAN_ESTIMATION_WATCHER_RECONCILE_TIMEOUT2m
VMCLARITY_ORCHESTRATOR_SCAN_ESTIMATION_WATCHER_ESTIMATION_TIMEOUT48h

Provider

AWS

Environment VariableRequiredDefaultDescription
VMCLARITY_AWS_REGIONyesRegion where the Scanner instance needs to be created
VMCLARITY_AWS_SUBNET_IDyesSubnetID where the Scanner instance needs to be created
VMCLARITY_AWS_SECURITY_GROUP_IDyesSecurityGroupId which needs to be attached to the Scanner instance
VMCLARITY_AWS_KEYPAIR_NAMEName of the SSH KeyPair to use for Scanner instance launch
VMCLARITY_AWS_SCANNER_AMI_IDyesThe AMI image used for creating Scanner instance
VMCLARITY_AWS_SCANNER_INSTANCE_TYPEt2.largeThe instance type used for Scanner instance
VMCLARITY_AWS_BLOCK_DEVICE_NAMExvdhBlock device name used for attaching Scanner volume to the Scanner instance
Last modified August 16, 2024: Openclarity rename (#45) (caba007)