Environment Variables Details

Environment Variables

For Both Controller (Allinone) and Enforcer

  • CLUSTER_JOIN_ADDR

    Set the variable to the host IP for the first controller; and set it to the master controller’s host IP for other controllers and enforcers. It’s not necessary to set this IP for Kubernetes based deployments, just use the sample file.

  • CLUSTER_LAN_PORT

    (Optional) Cluster Serf LAN port. Both TCP and UDP ports must be mapped to the host directly. Optional if there is no port conflict on the host. Default 18301

  • DOCKER_URL

    (Optional) If the docker engine on the host does not bind on the normal Unix socket, use this variable to specify the TCP connection point, in the format of tcp://10.0.0.1:2376.

  • NV_PLATFORM_INFO

    (Optional) Use value platform=Docker for Docker Swarm/EE deployments, or platform=Kubernetes:GKE for GKE (to run GKE CIS Benchmarks).

  • CUSTOM_CHECK_CONTROL

    (Optional) Used to enable/disable ability to create custom compliance scripts in containers/hosts. Values are "disable" (default, not allowed), "strict" (admin role only), or "loose" (admin, compliance, and runtime-policy roles).

  • AUTO_PROFILE_COLLECT

    (Optional) Set value to 1 to enable collection of memory profile data to help investigate memory pressure issues.

Controller

  • CTRL_PERSIST_CONFIG

    (Optional) To backup configuration files and restore them from a persistent volume. Add this to the yaml to enable; remove to disable.

  • CLUSTER_RPC_PORT

    (Optional) Cluster server RPC port. Must be mapped to the host directly. The environment variable is optional if there is no port conflict on the host. Default 18300

  • CTRL_SERVER_PORT

    (Optional) HTTPS port that the REST server should be listening on. Default is 10443. Normally it can be left as default and use docker port option to map the port on the host.

  • DISABLE_PACKET_CAPTURE

    (Optional) Add this to the yaml to disable packet capture; remove to re-enable (default).

  • NO_DEFAULT_ADMIN

    (Optional) When enabled does not create an 'admin' user in the local cluster. This is used for Rancher SSO integration as the default. If not enabled, persistently warn the user and record events to change the default admin password if it is not changed from default.

  • CTRL_EN_ICMP_POLICY

    (Optional) When enabled (value=1) icmp traffic can be learned in discover mode, and policy can be generated. If there is no network policy in monitor or protect mode for the group, an implicit violation will be generated for icmp traffic.

Manager

  • CTRL_SERVER_IP

    (Optional for all-in-one) Controller REST server IP address. Default is 127.0.0.1. For all-in-one container, leave it as default. If the Manager is running separately, the Manager must specify this IP to connect to the controller.

  • CTRL_SERVER_PORT

    (Optional for all-in-one) Controller REST server port. Default is 10443. For all-in-one container, leave it as default. If the Manager is running separately, the Manager should specify this variable to connect to the controller.

  • MANAGER_SERVER_PORT

    (Optional) Manager UI port. Default is 8443. Unless the Manager is running in host mode, leave it and user docker port option to map the port on the host.

  • MANAGER_SSL

    (Optional) Manager by default uses and HTTPS/SSL connection. Set the value to “off” to use HTTP.

Enforcer

  • CONTAINER_NET_TYPE

    (Optional) To support special network plug-in set value to "macvlan`"

  • ENF_NO_SECRET_SCANS

    (Optional) Set the value to “1” to disable scanning for secrets in files (improves performance).

  • ENF_NO_AUTO_BENCHMARK

    (Optional) Set the value to “1” to disable CIS benchmarks on host and containers (improves performance).

  • ENF_NO_SYSTEM_PROFILES

    (Optional) Set the value to "1" to disable the process and file monitors. No learning processes, no profile modes, no process/file (package) incidents, and no file activity monitor will be performed. This will reduce CPU/memory resource usage and file operations.

  • ENF_NETPOLICY_PULL_INTERVAL

    (Optional) Value in seconds (recommended value 60) to reduce network traffic and resource consumption by Enforcer due to policy updates/recalculations, in clusters with high node counts or workloads. Default is zero, meaning no delay in updating Enforcer policy.

  • THRT_SSL_TLS_1DOT0

    (Optional) Set the value to “1” to enable the detection for TLS Version 1.0 (Deprecated).

  • THRT_SSL_TLS_1DOT1

    (Optional) Set the value to “1” to enable the detection for TLS Version 1.1 (Deprecated).

  • NV_SYSTEM_GROUPS

    (Optional) Specify what groups or namespaces that SUSE® Security considers to be 'system containers', separated by semi-colons. For example, for Rancher-based apps and the default namespace, NV_SYSTEM_GROUPS=cattle-system;default. These values are translated in regex. System containers (which also include SUSE® Security and Kubernetes system containers) operate only in Monitor mode (alert only) even if the group is set to Protect mode.

Open Ports

  • CLUSTER_RPC_PORT - on controller and all-in-one. Default 18300.

  • CLUSTER_LAN_PORT - on controller, enforcer and all-in-one. Default 18301.

  • MANAGER_SERVER_PORT - on manager or all-in-one. Default 8443.

  • CTRL_SERVER_PORT - on controller. Default 10443.

Please see the section Deployment Preparation for a full description of the port communication requirements for the SUSE® Security containers.