Configuration

Configure the Varax operator with ComplianceConfig custom resources.

ComplianceConfig CRD

The Varax operator is configured through ComplianceConfig custom resources. A default config is created during Helm installation.

apiVersion: compliance.varax.io/v1alpha1
kind: ComplianceConfig
metadata:
  name: default
spec:
  framework: soc2
  excludeNamespaces:
    - kube-system
    - kube-public
    - kube-node-lease
  scanInterval: 24h
  remediation:
    autoRemediate: false
    dryRun: true
  reports:
    formats:
      - html
      - json
  alerting:
    scoreThreshold: 80
    criticalViolationThreshold: 0

Field Reference

FieldTypeDefaultDescription
frameworkstringsoc2Compliance framework to map against (soc2)
excludeNamespaces[]stringsystem namespacesNamespaces to skip during scanning
scanIntervalduration24hHow often to run scans (minimum: 1m)
remediation.autoRemediateboolfalseEnable automatic remediation (Pro only)
remediation.dryRunbooltruePreview remediation without applying changes
reports.formats[]string["json"]Report output formats: html, json
alerting.scoreThresholdint80Alert when compliance score drops below this value
alerting.criticalViolationThresholdint0Alert when critical violations exceed this count

Namespace Exclusions

By default, Varax skips Kubernetes system namespaces (kube-system, kube-public, kube-node-lease) to avoid false positives on infrastructure components.

Add your own exclusions for namespaces that shouldn’t be scanned:

spec:
  excludeNamespaces:
    - kube-system
    - kube-public
    - kube-node-lease
    - monitoring
    - istio-system

Scan Interval

The minimum scan interval is 1 minute to prevent API server overload. For production clusters, we recommend 24 hours:

spec:
  scanInterval: 24h

For development or pre-audit preparation, you can run more frequently:

spec:
  scanInterval: 1h

Helm Values

Common Helm overrides for the operator deployment:

# values.yaml
replicaCount: 1

resources:
  requests:
    memory: 128Mi
    cpu: 100m
  limits:
    memory: 256Mi
    cpu: 200m

metrics:
  enabled: true
  port: 8080

serviceMonitor:
  enabled: false  # Enable if using Prometheus Operator

Install with custom values:

helm install varax varaxlabs/operator -f values.yaml

Viewing Current Configuration

kubectl get complianceconfigs
kubectl describe complianceconfig default

The status subresource shows current scan state:

kubectl get complianceconfigs -o wide
NAME      FRAMEWORK   SCORE   VIOLATIONS   PHASE       AGE
default   soc2        87      9            Compliant   24h