desc

Yes

The node name.

The value must comply with the following rules:

• The node name must be 1 to 63 characters long.
• The node name can contain the following characters:
  • Uppercase ASCII letters (A–Z)
  • Lowercase ASCII letters (a–z)
  • Numbers (0–9)
  • Hyphen (-)

   

type

Yes

The node type.

Possible parameter values:

• primary
• worker

   

host

Yes

The IP address of the node.

All nodes must be included in the same subnet as the Kubernetes cluster gateway.

kind

No

The node kind that specifies the Kaspersky Next XDR Expert component that will be installed on this node.

For Kaspersky Next XDR Expert to work correctly, we recommend that you select the node on which Administration Server will work. For this node, set the kind parameter to admsrv. Do not set the kind parameter to admsrv for other nodes.

user

Yes

The user name of the account created on the target host and used for connection to the node by KDT.

The value must comply with the following rules:

• The user name must be 1 to 31 characters long.
• The user name can contain the following characters:
  • Lowercase letters (a–z)
  • Numbers (0–9)
  • Underscore (_), hyphen (-)

   

password

No

The password for connecting to the node, which can be used instead of the SSH key.

key

Yes

The path to the private part of the SSH key located on the administrator host and used for connection to the node by KDT.

The parameter value must be a Linux file path or Base64-encoded file content. Also, the value must match the ssh_pk parameter value.

We recommend using the SSH key to establish a connection with the node.

psql_dsn

Yes

The connection string for accessing the DBMS that is installed and configured outside the Kubernetes cluster. 

Specify this parameter as follows:

psql_dsn=postgres://<dbms_username>:<password>@<fqdn>:<port>

where:

• dbms_username—The user name of a privileged internal DBMS account. This account is granted permissions to create databases and other DBMS accounts. By using this privileged DBMS account, the databases and other DBMS accounts required for the Kaspersky Next XDR Expert components will be created during the deployment. 
• password—The password of the privileged internal DBMS account.
• fqdn:port—The FQDN and connection port of the target host on which the DBMS is installed.

To use a highly available cluster, specify this parameter as follows:

psql_dsn=postgres://<dbms_username>:<password>@<fqdn1>:<port>,<fqdn2>:<port>,<fqdn3>:<port>

The psql_dsn parameter value must comply with the URI format. If the connection URI includes symbols with special meaning in any of its parts, it must be encoded with percent-encoding.

Symbols that must be replaced in the psql_dsn parameter value:

• Whitespace → %20
• % → %25
• & → %26
• / → %2F
• : → %3A
• = → %3D
• ? → %3F
• @ → %40
• [ → %5B
• ] → %5D

Refer to the PostgreSQL connection string article for details.

If the psql_dsn parameter is set, the Kaspersky Next XDR Expert components use the DBMS located at the specified FQDN.

nwc-language

Yes

The language of the OSMP Console interface is specified by default. After installation, you can change the OSMP Console language.

Possible parameter values:

• enUS (default value)
• ruRu

The default value is used if you do not specify this parameter in the configuration file.

ingress_ip

Yes

The reserved static IPv4 address of the Kubernetes cluster gateway.

The Kubernetes cluster gateway is intended for connecting to the Kaspersky Next XDR Expert components installed inside the Kubernetes cluster. The gateway must be included in the same subnet as the primary worker node.

ssh_pk

Yes

The path to the private part of the SSH key located on the administrator host and used for connection to the primary worker node and nodes with the KUMA services (collectors, correlators, and storages) by using KDT. The parameter value must be a Linux file path or Base64-encoded file content. Also, the value must match the key parameter value.

admin_password

Yes

The admin_password parameter specifies the password of the Kaspersky Next XDR Expert user account that will be created by KDT during the installation. The default user name of this account is "admin".

The Main administrator role is assigned to this user account.

The password must comply with the following rules:

• The user password cannot have fewer than 8 or more than 256 characters.
• The password must contain characters from at least three of the groups listed below:
  • Uppercase letters (A–Z)
  • Lowercase letters (a–z)
  • Numbers (0–9)
  • Special characters (@ # $ % ^ & * - _ ! + = [ ] { } | : ' , . ? / \ ` ~ " ( ) ;)
• The password must not contain any whitespaces, or the ".@" combination.

When you specify the admin_password parameter value manually (not by the Configuration wizard), make sure that this value meets the YAML standard requirements for values in strings:

• The parameter value containing special characters must be enclosed in single quotes.
• Any single quote ' inside the parameter value must be doubled to escape this single quote.

Example: the user account password Any_pass%1234'5678"90 must be specified as the value 'Any_pass%1234''5678"90' of the admin_password parameter.

low_resources

No

The parameter indicating that Kaspersky Next XDR Expert is installed on the target host with limited computing resources.Set the low_resources parameter to false for multi-node deployment.

Possible parameter values:

• true—Installation with limited computing resources (for single-node deployment)
• false—Standard installation (default value)

   

core_disk_request

Yes

The parameter that specifies the amount of disk space for the operation of KUMA Core. This parameter is used only if the low_resources parameter is set to false. If you do not specify the core_disk_request parameter and the low_resources parameter is set to false, the default amount of disk space for the operation of KUMA Core is allocated. The default amount of disk space is 512 GB.

If the low_resources parameter is set to true, the core_disk_request parameter is ignored and 4 GB of the disk space for the operation of KUMA Core is allocated.

inventory

Yes

The path to the KUMA inventory file located on the administrator host. The inventory file contains installation parameters for deployment of the KUMA services that are not included in the Kubernetes cluster. The parameter value must be a Linux file path or Base64-encoded file content.

host_inventory

No

The path to the additional KUMA inventory file located on the administrator host. This file contains the installation parameters used to partially add or remove hosts with the KUMA services. The parameter value must be a Linux file path or Base64-encoded file content.

If you perform an initial deployment of Kaspersky Next XDR Expert or run a custom action that requires configuration file, leave the default parameter value (/dev/null).

license

Yes

The path to the license key of KUMA Core. The parameter value must be a Linux file path or Base64-encoded file content.

nwc_host

flow_host

hydra_host

login_host

ksc_host

console_host

api_host

kuma_host

monitoring_host

Yes

The host name that is used in the FQDNs of the public Kaspersky Next XDR Expert services. The service host name and domain name (the smp_domain parameter value) are parts of the service FQDN.

If custom host names are not specified, the following default host names are used:

• nwc_host—"console"
• flow_host—"console"
• hydra_host—"console"
• login_host—"console"
• ksc_host—"admsrv"
• console_host—"console"
• api_host—"api"
• kuma_host—"kuma"
• monitoring_host—"monitoring"

smp_domain

Yes

The domain name that is used in the FQDNs of the public Kaspersky Next XDR Expert services. The parameter value must meet the requirements for second-level domain naming.

The service host name and domain name are parts of the service FQDN. For example, if the value of the console_host variable is console, and the value of the smp_domain variable is smp.local, then the full name of the service that provides access to the OSMP Console is console.smp.local.

pki_host_list

Yes

The list of host names of the public Kaspersky Next XDR Expert services for which a self-signed or custom certificate is to be generated. The parameter value must be a list of host names, separated by spaces.

intermediate_enabled

No

The parameter that indicates whether to use the custom intermediate certificate instead of the self-signed certificates for the public Kaspersky Next XDR Expert services.

Possible parameter values:

• true—Use custom intermediate certificate (default value).
• false—Use self-signed certificates.

   

intermediate_bundle

No

The path to the custom intermediate certificate used to work with public Kaspersky Next XDR Expert services. Specify this parameter if the intermediate_enabled parameter is set to true. The parameter value must be a Linux file path or Base64-encoded file content.

admsrv_bundle

api_bundle

console_bundle

No

The paths to the custom leaf certificates used to work with the corresponding public Kaspersky Next XDR Expert services: <admsrv_host>.<smp_domain>, <api_host>.<smp_domain>, and <console_host>.<smp_domain>. The parameter values must be a Linux file path or Base64-encoded file content.

If you want to specify the leaf custom certificates, set the intermediate_enabled parameter to false and do not specify the intermediate_bundle parameter.

encrypt_secret

sign_secret

Yes

The names of the secret files that are stored in the Kubernetes cluster. These names contain the domain name, which must match the smp_domain parameter value.

ksc_state_size

Yes

The amount of free disk space allocated to store the Administration Server data (updates, installation packages, and other internal service data). Measured in gigabytes, specified as "<amount>Gi". The required amount of free disk space depends on the number of managed devices and other parameters, and can be calculated.

The default value is 30 GB. This value is used if you do not specify this parameter in the configuration file.

prometheus_size

Yes

The amount of free disk space allocated to store metrics. Measured in gigabytes, specified as "<amount>GB".

The minimum recommended and default value is 5 GB. The default value is used if you do not specify this parameter in the configuration file.

grafana_admin_user

No

The user name of the account used to view OSMP metrics through the Grafana tool.

The value must comply with the following rules:

• The user name must be 1 to 30 characters long.
• The user name can contain the following characters:
  • Lowercase letters (a–z)
  • Numbers (0–9)
  • Special characters (_ - .)
• The user name must start with a letter.
• The user name must not contain either whitespaces or the "@" symbol.

   

grafana_admin_password

No

The password of the account used to view OSMP metrics through the Grafana tool.

The password must comply with the following rules:

• The user password cannot have fewer than 8 or more than 256 characters.
• The password must contain characters from at least three of the groups listed below:
  • Uppercase letters (A–Z)
  • Lowercase letters (a–z)
  • Numbers (0–9)
  • Special characters (@ # $ % ^ & * - _ ! + = [ ] { } | : ' , . ? / \ ` ~ " ( ) ;)
• The password must not contain either whitespaces or ".@".

   

loki_size

Yes

The amount of free disk space allocated to store OSMP logs. Measured in gigabytes, specified as "<amount>Gi".

The minimum recommended and default value is 20 GB. The default value is used if you do not specify this parameter in the configuration file.

loki_retention_period

Yes

The storage period of OSMP logs after which logs are automatically removed. The default value is 72 hours (set the parameter value in the configuration file as "<time in hours>h". For example, "72h"). The default value is used if you do not specify this parameter in the configuration file.

file_storage_cp

No

The amount of free disk space allocated to store data of the component for working with response actions. Measured in gigabytes, specified as "<amount>Gi". The minimum recommended value is 20 GB.

psql_tls_off

No

The parameter that indicates whether to encrypt the traffic between the Kaspersky Next XDR Expert components and the DBMS by using the TLS protocol. If the DBMS is installed outside the cluster, TLS encryption is disabled by default (the default value is true).

Possible parameter values:

• true—Do not encrypt the traffic (default value).
• false—Encrypt the traffic.

   

psql_trusted_cas

No

The path to the PEM file that can contain the TLS certificate of the DBMS server or a root certificate from which the TLS server certificate can be issued. The parameter value must be a Linux file path or Base64-encoded file content.

Specify the psql_trusted_cas parameter if the DBMS will be installed and configured on a separate server and traffic encryption is enabled (psql_tls_off is set to false).

proxy_enabled

No

The parameter that indicates whether to use the proxy server to connect the Kaspersky Next XDR Expert components to the internet. If the host on which Kaspersky Next XDR Expert is installed has internet access, you can also provide internet access for the operation of Kaspersky Next XDR Expert components (for example, Administration Server) and for specific integrations, both Kaspersky and third-party. To establish the proxy connection, you must also specify the proxy server parameters in the Administration Server properties. The default value is false.

Possible parameter values:

• true—Proxy server is used.
• false—Proxy server is not used.

proxy_addresses

No

The IP address of the proxy server. If the proxy server uses multiple IP addresses, specify these addresses separated by a space (for example, "0.0.0.0 0.0.0.1 0.0.0.2"). Specify this parameter if the proxy_enabled parameter is set to true.

proxy_port

No

The number of the port through which the proxy connection will be established. Specify this parameter if the proxy_enabled parameter is set to true.

trace_level

No

The verbosity level of Administration Server trace files. Traces are written during the Administration Server operation.

The default value is 0, no traces are written.

Possible parameter values: 0–5.

The higher the parameter value, the more detailed the trace details.

ansible_extra_flags

No

The verbosity level of logs of the KUMA Core and KUMA services deployment that is performed by KDT.

Possible parameter values:

• -v
• -vv
• -vvv
• -vvvv

As the number of "v" letters in the flag increases, logs become more detailed. If this parameter is not specified in the configuration file, the standard component installation logs are saved.

incident_attachments_max_count_limit

No

The number of files that you can attach to the incident. The default value is 100.

incident_attachments_max_size_limit

No

The total size of files attached to the incident. Measured in bytes. Specified without units of measurement. The default value is 26214400.

ignore_precheck

No

The parameter indicating whether to check the hardware, software, and network configuration of the Kubernetes cluster nodes for compliance with the prerequisites for installing the solution before the deployment.

The default value is false.

Possible parameter values:

• true—Skip the pre-checks.
• false—Perform the pre-checks.