Contrast-Security-OSS · gamingrobot · Nov 5, 2025
@@ -100,6 +100,8 @@ spec:
               value: '{{ .Values.operator.webhookConfiguration }}'
             - name: CONTRAST_ENABLE_EARLY_CHAINING
               value: '{{ .Values.operator.enableEarlyChaining }}'
+            - name: CONTRAST_ENABLE_AGENT_STDOUT
+              value: '{{ .Values.operator.enableAgentStdout }}'
             - name: CONTRAST_INSTALL_SOURCE
               value: helm
             - name: CONTRAST_INITCONTAINER_CPU_REQUEST

@@ -322,13 +322,19 @@
             "type": "object",
             "properties": {
                 "annotations": {
+                    "description": "Deployment Annotations for the operator deployment.",
                     "type": "object"
                 },
                 "defaultRegistry": {
                     "description": "The default registry to use, defaults to docker.io/contrast.",
                     "default": "contrast",
                     "type": "string"
                 },
+                "enableAgentStdout": {
+                    "description": "Globally enable agents logging to stdout",
+                    "default": false,
+                    "type": "boolean"
+                },
                 "enableEarlyChaining": {
                     "description": "Enable early chaining. Should only be enabled if you are using a dotnet-core AgentInjector and DynaKube is used in classicStack mode.",
                     "default": false,
@@ -419,12 +425,15 @@
                     }
                 },
                 "labels": {
+                    "description": "Deployment Labels for the operator deployment.",
                     "type": "object"
                 },
                 "podAnnotations": {
+                    "description": "Pod Annotations for the operator pod(s).",
                     "type": "object"
                 },
                 "podLabels": {
+                    "description": "Pod Labels for the operator pod(s).",
                     "type": "object"
                 },
                 "replicas": {

@@ -45,11 +45,15 @@ operator:
   webhookConfiguration: # @schema type:[string];default:contrast-web-hook-configuration
   # -- Enable early chaining. Should only be enabled if you are using a dotnet-core AgentInjector and DynaKube is used in classicStack mode.
   enableEarlyChaining: # @schema type:[boolean];default:false
-  # Metadata for the operator deployment.
+  # -- Globally enable agents logging to stdout
+  enableAgentStdout: # @schema type:[boolean];default:false
+  # -- Deployment Labels for the operator deployment.
   labels: {}
+  # -- Deployment Annotations for the operator deployment.
   annotations: {}
-  # Metadata for the operator pod(s).
+  # -- Pod Labels for the operator pod(s).
   podLabels: {}
+  # -- Pod Annotations for the operator pod(s).
   podAnnotations: {}
   # -- SecurityContext for operator pod.
   securityContext: {}

@@ -46,6 +46,8 @@ operator:
   webhookConfiguration: contrast-web-hook-configuration
   # Enable early chaining. Should only be enabled if you are using a dotnet-core AgentInjector and DynaKube is used in classicStack mode.
   enableEarlyChaining: false
+  # Globally enable agents logging to stdout
+  enableAgentStdout: false
   # Metadata for the operator deployment.
   labels: {}
   annotations: {}

@@ -298,6 +298,11 @@ private IEnumerable<V1EnvVar> GenerateEnvVars(PatchingContext context, V1Pod pod
         yield return new V1EnvVar("CONTRAST_MOUNT_AGENT_PATH", agentMountPath);
         yield return new V1EnvVar("CONTRAST_MOUNT_WRITABLE_PATH", writableMountPath);
 
+        if (_operatorOptions.EnableAgentStdout)
+        {
+            yield return new V1EnvVar("CONTRAST__AGENT__LOGGER__STDOUT", "true");
+        }
+
         if (connection.TeamServerUri != null)
         {
             yield return new V1EnvVar("CONTRAST__API__URL", connection.TeamServerUri);

@@ -65,12 +65,15 @@ protected override void Load(ContainerBuilder builder)
             }
 
             // Users may override this on a per AgentConfiguration bases via the InitContainer override field.
-            var runInitContainersAsNonRoot = GetEnvironmentOptionFlag(logger, "CONTRAST_RUN_INIT_CONTAINER_AS_NON_ROOT", "run-init-container-as-non-root", true); ;
+            var runInitContainersAsNonRoot = GetEnvironmentOptionFlag(logger, "CONTRAST_RUN_INIT_CONTAINER_AS_NON_ROOT", "run-init-container-as-non-root", true);
 
             // This is needed for OpenShift < 4.11 (Assumed per the change log, unable to test at the time of writing).
             // See: https://github.com/openshift/cluster-kube-apiserver-operator/issues/1325
             var suppressSeccompProfile = GetEnvironmentOptionFlag(logger, "CONTRAST_SUPPRESS_SECCOMP_PROFILE", "suppress-seccomp-profile", false);
 
+            // Users may override this on a per AgentConfiguration bases in the yaml section with the key agent.logger.stdout
+            var enableAgentStdout = GetEnvironmentOptionFlag(logger, "CONTRAST_ENABLE_AGENT_STDOUT", "enable-agent-stdout", false);
+
             // A value from 0-100 to denote how many options the operator should purposely fail in.
             // The goal is to test and correctly handle a non-perfect cluster.
             var chaosPercent = 0;
@@ -90,6 +93,7 @@ protected override void Load(ContainerBuilder builder)
                 eventQueueMergeWindowSeconds,
                 runInitContainersAsNonRoot,
                 suppressSeccompProfile,
+                enableAgentStdout,
                 chaosPercent / 100m);
         }).SingleInstance();
 

@@ -12,5 +12,6 @@ public record OperatorOptions(string Namespace,
                               int EventQueueMergeWindowSeconds,
                               bool RunInitContainersAsNonRoot,
                               bool SuppressSeccompProfile,
+                              bool EnableAgentStdout,
                               decimal ChaosRatio,
                               string FieldManagerName = "agents.contrastsecurity.com");