policy values.yaml
π£
openshiftπ£
Type: bool
false
replicasπ£
Type: int
3
auditIntervalπ£
Type: int
300
metricsBackends[0]π£
Type: string
"prometheus"
auditMatchKindOnlyπ£
Type: bool
true
constraintViolationsLimitπ£
Type: int
1000
auditFromCacheπ£
Type: bool
false
disableMutationπ£
Type: bool
true
disableValidatingWebhookπ£
Type: bool
false
validatingWebhookTimeoutSecondsπ£
Type: int
15
validatingWebhookFailurePolicyπ£
Type: string
"Ignore"
validatingWebhookExemptNamespacesLabelsπ£
Type: object
{}
Default value (formatted)
{}
validatingWebhookObjectSelectorπ£
Type: object
{}
Default value (formatted)
{}
validatingWebhookCheckIgnoreFailurePolicyπ£
Type: string
"Fail"
validatingWebhookCustomRulesπ£
Type: object
{}
Default value (formatted)
{}
enableDeleteOperationsπ£
Type: bool
false
enableExternalDataπ£
Type: bool
false
enableTLSHealthcheckπ£
Type: bool
false
mutatingWebhookFailurePolicyπ£
Type: string
"Ignore"
mutatingWebhookReinvocationPolicyπ£
Type: string
"Never"
mutatingWebhookExemptNamespacesLabelsπ£
Type: object
{}
Default value (formatted)
{}
mutatingWebhookObjectSelectorπ£
Type: object
{}
Default value (formatted)
{}
mutatingWebhookTimeoutSecondsπ£
Type: int
1
mutatingWebhookCustomRulesπ£
Type: object
{}
Default value (formatted)
{}
mutationAnnotationsπ£
Type: bool
false
auditChunkSizeπ£
Type: int
500
logLevelπ£
Type: string
"INFO"
logDeniesπ£
Type: bool
true
logMutationsπ£
Type: bool
true
emitAdmissionEventsπ£
Type: bool
false
emitAuditEventsπ£
Type: bool
false
resourceQuotaπ£
Type: bool
true
postUpgrade.labelNamespace.enabledπ£
Type: bool
false
postUpgrade.labelNamespace.image.repositoryπ£
Type: string
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl"
postUpgrade.labelNamespace.image.tagπ£
Type: string
"v1.22.2"
postUpgrade.labelNamespace.image.pullPolicyπ£
Type: string
"IfNotPresent"
postUpgrade.labelNamespace.image.pullSecretsπ£
Type: list
[]
Default value (formatted)
[]
postUpgrade.labelNamespace.extraNamespacesπ£
Type: list
[]
Default value (formatted)
[]
postUpgrade.securityContext.allowPrivilegeEscalationπ£
Type: bool
false
postUpgrade.securityContext.capabilities.drop[0]π£
Type: string
"all"
postUpgrade.securityContext.readOnlyRootFilesystemπ£
Type: bool
true
postUpgrade.securityContext.runAsGroupπ£
Type: int
999
postUpgrade.securityContext.runAsNonRootπ£
Type: bool
true
postUpgrade.securityContext.runAsUserπ£
Type: int
1000
postInstall.labelNamespace.extraRulesπ£
Type: list
[]
Default value (formatted)
[]
postInstall.labelNamespace.enabledπ£
Type: bool
true
postInstall.labelNamespace.image.repositoryπ£
Type: string
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl"
postInstall.labelNamespace.image.tagπ£
Type: string
"v1.22.2"
postInstall.labelNamespace.image.pullPolicyπ£
Type: string
"IfNotPresent"
postInstall.labelNamespace.image.pullSecretsπ£
Type: list
[]
Default value (formatted)
[]
postInstall.labelNamespace.extraNamespacesπ£
Type: list
[]
Default value (formatted)
[]
postInstall.probeWebhook.enabledπ£
Type: bool
true
postInstall.probeWebhook.image.repositoryπ£
Type: string
"registry1.dso.mil/ironbank/big-bang/base"
postInstall.probeWebhook.image.tagπ£
Type: string
"2.0.0"
postInstall.probeWebhook.image.pullPolicyπ£
Type: string
"IfNotPresent"
postInstall.probeWebhook.image.pullSecretsπ£
Type: list
[]
Default value (formatted)
[]
postInstall.probeWebhook.waitTimeoutπ£
Type: int
60
postInstall.probeWebhook.httpTimeoutπ£
Type: int
2
postInstall.probeWebhook.insecureHTTPSπ£
Type: bool
false
postInstall.securityContext.allowPrivilegeEscalationπ£
Type: bool
false
postInstall.securityContext.capabilities.drop[0]π£
Type: string
"all"
postInstall.securityContext.readOnlyRootFilesystemπ£
Type: bool
true
postInstall.securityContext.runAsGroupπ£
Type: int
999
postInstall.securityContext.runAsNonRootπ£
Type: bool
true
postInstall.securityContext.runAsUserπ£
Type: int
1000
preUninstall.deleteWebhookConfigurations.extraRulesπ£
Type: list
[]
Default value (formatted)
[]
preUninstall.deleteWebhookConfigurations.enabledπ£
Type: bool
false
preUninstall.deleteWebhookConfigurations.image.repositoryπ£
Type: string
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl"
preUninstall.deleteWebhookConfigurations.image.tagπ£
Type: string
"v1.22.2"
preUninstall.deleteWebhookConfigurations.image.pullPolicyπ£
Type: string
"IfNotPresent"
preUninstall.deleteWebhookConfigurations.image.pullSecretsπ£
Type: list
[]
Default value (formatted)
[]
preUninstall.securityContext.allowPrivilegeEscalationπ£
Type: bool
false
preUninstall.securityContext.capabilities.drop[0]π£
Type: string
"all"
preUninstall.securityContext.readOnlyRootFilesystemπ£
Type: bool
true
preUninstall.securityContext.runAsGroupπ£
Type: int
999
preUninstall.securityContext.runAsNonRootπ£
Type: bool
true
preUninstall.securityContext.runAsUserπ£
Type: int
1000
image.repositoryπ£
Type: string
"registry1.dso.mil/ironbank/opensource/openpolicyagent/gatekeeper"
image.releaseπ£
Type: string
"v3.9.0"
image.pullPolicyπ£
Type: string
"IfNotPresent"
image.pullSecrets[0].nameπ£
Type: string
"private-registry"
image.crdRepositoryπ£
Type: string
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl"
image.crdReleaseπ£
Type: string
"v1.22.2"
podAnnotations.”container.seccomp.security.alpha.kubernetes.io/manager”π£
Type: string
"runtime/default"
podLabelsπ£
Type: object
{}
Default value (formatted)
{}
podCountLimitπ£
Type: int
100
secretAnnotationsπ£
Type: object
{}
Default value (formatted)
{}
enableRuntimeDefaultSeccompProfileπ£
Type: bool
true
controllerManager.exemptNamespacesπ£
Type: list
[]
Default value (formatted)
[]
controllerManager.exemptNamespacePrefixesπ£
Type: list
[]
Default value (formatted)
[]
controllerManager.hostNetworkπ£
Type: bool
false
controllerManager.dnsPolicyπ£
Type: string
"ClusterFirst"
controllerManager.portπ£
Type: int
8443
controllerManager.metricsPortπ£
Type: int
8888
controllerManager.healthPortπ£
Type: int
9090
controllerManager.priorityClassNameπ£
Type: string
"system-cluster-critical"
controllerManager.disableCertRotationπ£
Type: bool
false
controllerManager.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.labelSelector.matchExpressions[0].keyπ£
Type: string
"gatekeeper.sh/operation"
controllerManager.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.labelSelector.matchExpressions[0].operatorπ£
Type: string
"In"
controllerManager.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.labelSelector.matchExpressions[0].values[0]π£
Type: string
"webhook"
controllerManager.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.topologyKeyπ£
Type: string
"kubernetes.io/hostname"
controllerManager.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].weightπ£
Type: int
100
controllerManager.tolerationsπ£
Type: list
[]
Default value (formatted)
[]
controllerManager.nodeSelector.”kubernetes.io/os”π£
Type: string
"linux"
controllerManager.resources.limits.cpuπ£
Type: string
"175m"
controllerManager.resources.limits.memoryπ£
Type: string
"512Mi"
controllerManager.resources.requests.cpuπ£
Type: string
"175m"
controllerManager.resources.requests.memoryπ£
Type: string
"512Mi"
controllerManager.securityContext.allowPrivilegeEscalationπ£
Type: bool
false
controllerManager.securityContext.capabilities.drop[0]π£
Type: string
"all"
controllerManager.securityContext.readOnlyRootFilesystemπ£
Type: bool
true
controllerManager.securityContext.runAsGroupπ£
Type: int
999
controllerManager.securityContext.runAsNonRootπ£
Type: bool
true
controllerManager.securityContext.runAsUserπ£
Type: int
1000
controllerManager.podSecurityContext.fsGroupπ£
Type: int
999
controllerManager.podSecurityContext.supplementalGroups[0]π£
Type: int
999
controllerManager.extraRulesπ£
Type: list
[]
Default value (formatted)
[]
audit.hostNetworkπ£
Type: bool
false
audit.dnsPolicyπ£
Type: string
"ClusterFirst"
audit.metricsPortπ£
Type: int
8888
audit.healthPortπ£
Type: int
9090
audit.priorityClassNameπ£
Type: string
"system-cluster-critical"
audit.disableCertRotationπ£
Type: bool
true
audit.affinityπ£
Type: object
{}
Default value (formatted)
{}
audit.tolerationsπ£
Type: list
[]
Default value (formatted)
[]
audit.nodeSelector.”kubernetes.io/os”π£
Type: string
"linux"
audit.writeToRAMDiskπ£
Type: bool
false
audit.resources.limits.cpuπ£
Type: float
1.2
audit.resources.limits.memoryπ£
Type: string
"768Mi"
audit.resources.requests.cpuπ£
Type: float
1.2
audit.resources.requests.memoryπ£
Type: string
"768Mi"
audit.securityContext.allowPrivilegeEscalationπ£
Type: bool
false
audit.securityContext.capabilities.drop[0]π£
Type: string
"all"
audit.securityContext.readOnlyRootFilesystemπ£
Type: bool
true
audit.securityContext.runAsGroupπ£
Type: int
999
audit.securityContext.runAsNonRootπ£
Type: bool
true
audit.securityContext.runAsUserπ£
Type: int
1000
audit.podSecurityContext.fsGroupπ£
Type: int
999
audit.podSecurityContext.supplementalGroups[0]π£
Type: int
999
audit.extraRulesπ£
Type: list
[]
Default value (formatted)
[]
crds.resourcesπ£
Type: object
{}
Default value (formatted)
{}
crds.securityContext.allowPrivilegeEscalationπ£
Type: bool
false
crds.securityContext.capabilities.drop[0]π£
Type: string
"all"
crds.securityContext.readOnlyRootFilesystemπ£
Type: bool
true
crds.securityContext.runAsGroupπ£
Type: int
65532
crds.securityContext.runAsNonRootπ£
Type: bool
true
crds.securityContext.runAsUserπ£
Type: int
65532
pdb.controllerManager.minAvailableπ£
Type: int
1
serviceπ£
Type: object
{}
Default value (formatted)
{}
disabledBuiltins[0]π£
Type: string
"{http.send}"
psp.enabledπ£
Type: bool
false
upgradeCRDs.enabledπ£
Type: bool
true
upgradeCRDs.tolerationsπ£
Type: list
[]
Default value (formatted)
[]
upgradeCRDs.extraRulesπ£
Type: list
[]
Default value (formatted)
[]
cleanupCRDs.enabledπ£
Type: bool
true
rbac.createπ£
Type: bool
true
violations.allowedAppArmorProfiles.enabledπ£
Type: bool
false
violations.allowedAppArmorProfiles.enforcementActionπ£
Type: string
"dryrun"
violations.allowedAppArmorProfiles.kindπ£
Type: string
"K8sPSPAppArmor"
violations.allowedAppArmorProfiles.nameπ£
Type: string
"allowed-app-armor-profiles"
violations.allowedAppArmorProfiles.matchπ£
Type: object
{}
Default value (formatted)
{}
violations.allowedAppArmorProfiles.parameters.allowedProfiles[0]π£
Type: string
"runtime/default"
violations.allowedAppArmorProfiles.parameters.excludedResourcesπ£
Type: list
[]
Default value (formatted)
[]
violations.allowedCapabilities.enabledπ£
Type: bool
true
violations.allowedCapabilities.enforcementActionπ£
Type: string
"dryrun"
violations.allowedCapabilities.kindπ£
Type: string
"K8sPSPCapabilities"
violations.allowedCapabilities.nameπ£
Type: string
"allowed-capabilities"
violations.allowedCapabilities.matchπ£
Type: object
{}
Default value (formatted)
{}
violations.allowedCapabilities.parameters.allowedCapabilitiesπ£
Type: list
[]
Default value (formatted)
[]
violations.allowedCapabilities.parameters.requiredDropCapabilities[0]π£
Type: string
"all"
violations.allowedCapabilities.parameters.excludedResourcesπ£
Type: list
[]
Default value (formatted)
[]
violations.allowedDockerRegistries.enabledπ£
Type: bool
true
violations.allowedDockerRegistries.enforcementActionπ£
Type: string
"deny"
violations.allowedDockerRegistries.kindπ£
Type: string
"K8sAllowedRepos"
violations.allowedDockerRegistries.nameπ£
Type: string
"allowed-docker-registries"
violations.allowedDockerRegistries.matchπ£
Type: object
{}
Default value (formatted)
{}
violations.allowedDockerRegistries.parameters.repos[0]π£
Type: string
"registry1.dso.mil"
violations.allowedDockerRegistries.parameters.excludedResourcesπ£
Type: list
[]
Default value (formatted)
[]
violations.allowedFlexVolumes.enabledπ£
Type: bool
true
violations.allowedFlexVolumes.enforcementActionπ£
Type: string
"deny"
violations.allowedFlexVolumes.kindπ£
Type: string
"K8sPSPFlexVolumes"
violations.allowedFlexVolumes.nameπ£
Type: string
"allowed-flex-volumes"
violations.allowedFlexVolumes.matchπ£
Type: object
{}
Default value (formatted)
{}
violations.allowedFlexVolumes.parameters.allowedFlexVolumesπ£
Type: list
[]
Default value (formatted)
[]
violations.allowedFlexVolumes.parameters.excludedResourcesπ£
Type: list
[]
Default value (formatted)
[]
violations.allowedHostFilesystem.enabledπ£
Type: bool
true
violations.allowedHostFilesystem.enforcementActionπ£
Type: string
"deny"
violations.allowedHostFilesystem.kindπ£
Type: string
"K8sPSPHostFilesystem"
violations.allowedHostFilesystem.nameπ£
Type: string
"allowed-host-filesystem"
violations.allowedHostFilesystem.matchπ£
Type: object
{}
Default value (formatted)
{}
violations.allowedHostFilesystem.parameters.allowedHostPathsπ£
Type: list
[]
Default value (formatted)
[]
violations.allowedHostFilesystem.parameters.excludedResourcesπ£
Type: list
[]
Default value (formatted)
[]
violations.allowedIPs.enabledπ£
Type: bool
true
violations.allowedIPs.enforcementActionπ£
Type: string
"deny"
violations.allowedIPs.kindπ£
Type: string
"K8sExternalIPs"
violations.allowedIPs.nameπ£
Type: string
"allowed-ips"
violations.allowedIPs.matchπ£
Type: object
{}
Default value (formatted)
{}
violations.allowedIPs.parameters.allowedIPsπ£
Type: list
[]
Default value (formatted)
[]
violations.allowedIPs.parameters.excludedResourcesπ£
Type: list
[]
Default value (formatted)
[]
violations.allowedProcMount.enabledπ£
Type: bool
true
violations.allowedProcMount.enforcementActionπ£
Type: string
"deny"
violations.allowedProcMount.kindπ£
Type: string
"K8sPSPProcMount"
violations.allowedProcMount.nameπ£
Type: string
"allowed-proc-mount"
violations.allowedProcMount.matchπ£
Type: object
{}
Default value (formatted)
{}
violations.allowedProcMount.parameters.procMountπ£
Type: string
"Default"
violations.allowedProcMount.parameters.excludedResourcesπ£
Type: list
[]
Default value (formatted)
[]
violations.allowedSecCompProfiles.enabledπ£
Type: bool
true
violations.allowedSecCompProfiles.enforcementActionπ£
Type: string
"dryrun"
violations.allowedSecCompProfiles.kindπ£
Type: string
"K8sPSPSeccomp"
violations.allowedSecCompProfiles.nameπ£
Type: string
"allowed-sec-comp-profiles"
violations.allowedSecCompProfiles.matchπ£
Type: object
{}
Default value (formatted)
{}
violations.allowedSecCompProfiles.parameters.allowedProfiles[0]π£
Type: string
"runtime/default"
violations.allowedSecCompProfiles.parameters.excludedResourcesπ£
Type: list
[]
Default value (formatted)
[]
violations.allowedUsers.enabledπ£
Type: bool
true
violations.allowedUsers.enforcementActionπ£
Type: string
"dryrun"
violations.allowedUsers.kindπ£
Type: string
"K8sPSPAllowedUsers"
violations.allowedUsers.nameπ£
Type: string
"allowed-users"
violations.allowedUsers.matchπ£
Type: object
{}
Default value (formatted)
{}
violations.allowedUsers.parameters.runAsUser.ruleπ£
Type: string
"MustRunAsNonRoot"
violations.allowedUsers.parameters.fsGroup.ruleπ£
Type: string
"MustRunAs"
violations.allowedUsers.parameters.fsGroup.ranges[0].minπ£
Type: int
1000
violations.allowedUsers.parameters.fsGroup.ranges[0].maxπ£
Type: int
65535
violations.allowedUsers.parameters.runAsGroup.ruleπ£
Type: string
"MustRunAs"
violations.allowedUsers.parameters.runAsGroup.ranges[0].minπ£
Type: int
1000
violations.allowedUsers.parameters.runAsGroup.ranges[0].maxπ£
Type: int
65535
violations.allowedUsers.parameters.supplementalGroups.ruleπ£
Type: string
"MustRunAs"
violations.allowedUsers.parameters.supplementalGroups.ranges[0].minπ£
Type: int
1000
violations.allowedUsers.parameters.supplementalGroups.ranges[0].maxπ£
Type: int
65535
violations.allowedUsers.parameters.excludedResourcesπ£
Type: list
[]
Default value (formatted)
[]
violations.bannedImageTags.enabledπ£
Type: bool
true
violations.bannedImageTags.enforcementActionπ£
Type: string
"deny"
violations.bannedImageTags.kindπ£
Type: string
"K8sBannedImageTags"
violations.bannedImageTags.nameπ£
Type: string
"banned-image-tags"
violations.bannedImageTags.matchπ£
Type: object
{}
Default value (formatted)
{}
violations.bannedImageTags.parameters.tags[0]π£
Type: string
"latest"
violations.bannedImageTags.parameters.excludedResourcesπ£
Type: list
[]
Default value (formatted)
[]
violations.blockNodePort.enabledπ£
Type: bool
true
violations.blockNodePort.enforcementActionπ£
Type: string
"dryrun"
violations.blockNodePort.kindπ£
Type: string
"K8sBlockNodePort"
violations.blockNodePort.nameπ£
Type: string
"block-node-ports"
violations.blockNodePort.matchπ£
Type: object
{}
Default value (formatted)
{}
violations.blockNodePort.parameters.excludedResourcesπ£
Type: list
[]
Default value (formatted)
[]
violations.containerRatio.enabledπ£
Type: bool
true
violations.containerRatio.enforcementActionπ£
Type: string
"dryrun"
violations.containerRatio.kindπ£
Type: string
"K8sContainerRatios"
violations.containerRatio.nameπ£
Type: string
"container-ratios"
violations.containerRatio.matchπ£
Type: object
{}
Default value (formatted)
{}
violations.containerRatio.parameters.ratioπ£
Type: string
"2"
violations.containerRatio.parameters.excludedResourcesπ£
Type: list
[]
Default value (formatted)
[]
violations.hostNetworking.enabledπ£
Type: bool
true
violations.hostNetworking.enforcementActionπ£
Type: string
"deny"
violations.hostNetworking.kindπ£
Type: string
"K8sPSPHostNetworkingPorts"
violations.hostNetworking.nameπ£
Type: string
"host-networking"
violations.hostNetworking.matchπ£
Type: object
{}
Default value (formatted)
{}
violations.hostNetworking.parameters.hostNetworkπ£
Type: bool
false
violations.hostNetworking.parameters.minπ£
Type: int
0
violations.hostNetworking.parameters.maxπ£
Type: int
0
violations.hostNetworking.parameters.excludedResourcesπ£
Type: list
[]
Default value (formatted)
[]
violations.httpsOnly.enabledπ£
Type: bool
true
violations.httpsOnly.enforcementActionπ£
Type: string
"deny"
violations.httpsOnly.kindπ£
Type: string
"K8sHttpsOnly2"
violations.httpsOnly.nameπ£
Type: string
"https-only"
violations.httpsOnly.matchπ£
Type: object
{}
Default value (formatted)
{}
violations.httpsOnly.parameters.excludedResourcesπ£
Type: list
[]
Default value (formatted)
[]
violations.imageDigest.enabledπ£
Type: bool
true
violations.imageDigest.enforcementActionπ£
Type: string
"dryrun"
violations.imageDigest.kindπ£
Type: string
"K8sImageDigests2"
violations.imageDigest.nameπ£
Type: string
"image-digest"
violations.imageDigest.matchπ£
Type: object
{}
Default value (formatted)
{}
violations.imageDigest.parameters.excludedResourcesπ£
Type: list
[]
Default value (formatted)
[]
violations.namespacesHaveIstio.enabledπ£
Type: bool
true
violations.namespacesHaveIstio.enforcementActionπ£
Type: string
"dryrun"
violations.namespacesHaveIstio.kindπ£
Type: string
"K8sRequiredLabelValues"
violations.namespacesHaveIstio.nameπ£
Type: string
"namespaces-have-istio"
violations.namespacesHaveIstio.match.namespaceSelector.matchExpressions[0].keyπ£
Type: string
"admission.gatekeeper.sh/ignore"
violations.namespacesHaveIstio.match.namespaceSelector.matchExpressions[0].operatorπ£
Type: string
"DoesNotExist"
violations.namespacesHaveIstio.parameters.labels[0].allowedRegexπ£
Type: string
"^enabled"
violations.namespacesHaveIstio.parameters.labels[0].keyπ£
Type: string
"istio-injection"
violations.namespacesHaveIstio.parameters.excludedResourcesπ£
Type: list
[]
Default value (formatted)
[]
violations.noBigContainers.enabledπ£
Type: bool
true
violations.noBigContainers.enforcementActionπ£
Type: string
"dryrun"
violations.noBigContainers.kindπ£
Type: string
"K8sContainerLimits"
violations.noBigContainers.nameπ£
Type: string
"no-big-container"
violations.noBigContainers.matchπ£
Type: object
{}
Default value (formatted)
{}
violations.noBigContainers.parameters.cpuπ£
Type: string
"2000m"
violations.noBigContainers.parameters.memoryπ£
Type: string
"4G"
violations.noBigContainers.parameters.excludedResourcesπ£
Type: list
[]
Default value (formatted)
[]
violations.noHostNamespace.enabledπ£
Type: bool
true
violations.noHostNamespace.enforcementActionπ£
Type: string
"deny"
violations.noHostNamespace.kindπ£
Type: string
"K8sPSPHostNamespace2"
violations.noHostNamespace.nameπ£
Type: string
"no-host-namespace"
violations.noHostNamespace.matchπ£
Type: object
{}
Default value (formatted)
{}
violations.noHostNamespace.parameters.excludedResourcesπ£
Type: list
[]
Default value (formatted)
[]
violations.noPrivilegedContainers.enabledπ£
Type: bool
true
violations.noPrivilegedContainers.enforcementActionπ£
Type: string
"deny"
violations.noPrivilegedContainers.kindπ£
Type: string
"K8sPSPPrivilegedContainer2"
violations.noPrivilegedContainers.nameπ£
Type: string
"no-privileged-containers"
violations.noPrivilegedContainers.matchπ£
Type: object
{}
Default value (formatted)
{}
violations.noPrivilegedContainers.parameters.excludedResourcesπ£
Type: list
[]
Default value (formatted)
[]
violations.noDefaultServiceAccount.enabledπ£
Type: bool
true
violations.noDefaultServiceAccount.enforcementActionπ£
Type: string
"dryrun"
violations.noDefaultServiceAccount.kindπ£
Type: string
"K8sDenySADefault"
violations.noDefaultServiceAccount.nameπ£
Type: string
"no-default-service-account"
violations.noDefaultServiceAccount.matchπ£
Type: object
{}
Default value (formatted)
{}
violations.noDefaultServiceAccount.parameters.excludedResourcesπ£
Type: list
[]
Default value (formatted)
[]
violations.noPrivilegedEscalation.enabledπ£
Type: bool
true
violations.noPrivilegedEscalation.enforcementActionπ£
Type: string
"dryrun"
violations.noPrivilegedEscalation.kindπ£
Type: string
"K8sPSPAllowPrivilegeEscalationContainer2"
violations.noPrivilegedEscalation.nameπ£
Type: string
"no-privileged-escalation"
violations.noPrivilegedEscalation.matchπ£
Type: object
{}
Default value (formatted)
{}
violations.noPrivilegedEscalation.parameters.excludedResourcesπ£
Type: list
[]
Default value (formatted)
[]
violations.noSysctls.enabledπ£
Type: bool
true
violations.noSysctls.enforcementActionπ£
Type: string
"deny"
violations.noSysctls.kindπ£
Type: string
"K8sPSPForbiddenSysctls"
violations.noSysctls.nameπ£
Type: string
"no-sysctls"
violations.noSysctls.matchπ£
Type: object
{}
Default value (formatted)
{}
violations.noSysctls.parameters.forbiddenSysctls[0]π£
Type: string
"*"
violations.noSysctls.parameters.excludedResourcesπ£
Type: list
[]
Default value (formatted)
[]
violations.podsHaveIstio.enabledπ£
Type: bool
true
violations.podsHaveIstio.enforcementActionπ£
Type: string
"dryrun"
violations.podsHaveIstio.kindπ£
Type: string
"K8sNoAnnotationValues"
violations.podsHaveIstio.nameπ£
Type: string
"pods-have-istio"
violations.podsHaveIstio.matchπ£
Type: object
{}
Default value (formatted)
{}
violations.podsHaveIstio.parameters.annotations[0].disallowedRegexπ£
Type: string
"^false"
violations.podsHaveIstio.parameters.annotations[0].keyπ£
Type: string
"sidecar.istio.io/inject"
violations.podsHaveIstio.parameters.excludedResourcesπ£
Type: list
[]
Default value (formatted)
[]
violations.readOnlyRoot.enabledπ£
Type: bool
true
violations.readOnlyRoot.enforcementActionπ£
Type: string
"dryrun"
violations.readOnlyRoot.kindπ£
Type: string
"K8sPSPReadOnlyRootFilesystem2"
violations.readOnlyRoot.nameπ£
Type: string
"read-only-root"
violations.readOnlyRoot.matchπ£
Type: object
{}
Default value (formatted)
{}
violations.readOnlyRoot.parameters.excludedResourcesπ£
Type: list
[]
Default value (formatted)
[]
violations.requiredLabels.enabledπ£
Type: bool
true
violations.requiredLabels.enforcementActionπ£
Type: string
"dryrun"
violations.requiredLabels.kindπ£
Type: string
"K8sRequiredLabelValues"
violations.requiredLabels.nameπ£
Type: string
"required-labels"
violations.requiredLabels.matchπ£
Type: object
{}
Default value (formatted)
{}
violations.requiredLabels.parameters.labels[0].allowedRegexπ£
Type: string
""
violations.requiredLabels.parameters.labels[0].keyπ£
Type: string
"app.kubernetes.io/name"
violations.requiredLabels.parameters.labels[1].allowedRegexπ£
Type: string
""
violations.requiredLabels.parameters.labels[1].keyπ£
Type: string
"app.kubernetes.io/instance"
violations.requiredLabels.parameters.labels[2].allowedRegexπ£
Type: string
""
violations.requiredLabels.parameters.labels[2].keyπ£
Type: string
"app.kubernetes.io/version"
violations.requiredLabels.parameters.labels[3].allowedRegexπ£
Type: string
""
violations.requiredLabels.parameters.labels[3].keyπ£
Type: string
"app.kubernetes.io/component"
violations.requiredLabels.parameters.labels[4].allowedRegexπ£
Type: string
""
violations.requiredLabels.parameters.labels[4].keyπ£
Type: string
"app.kubernetes.io/part-of"
violations.requiredLabels.parameters.labels[5].allowedRegexπ£
Type: string
""
violations.requiredLabels.parameters.labels[5].keyπ£
Type: string
"app.kubernetes.io/managed-by"
violations.requiredLabels.parameters.excludedResourcesπ£
Type: list
[]
Default value (formatted)
[]
violations.requiredProbes.enabledπ£
Type: bool
true
violations.requiredProbes.enforcementActionπ£
Type: string
"dryrun"
violations.requiredProbes.kindπ£
Type: string
"K8sRequiredProbes"
violations.requiredProbes.nameπ£
Type: string
"required-probes"
violations.requiredProbes.matchπ£
Type: object
{}
Default value (formatted)
{}
violations.requiredProbes.parameters.probeTypes[0]π£
Type: string
"tcpSocket"
violations.requiredProbes.parameters.probeTypes[1]π£
Type: string
"httpGet"
violations.requiredProbes.parameters.probeTypes[2]π£
Type: string
"exec"
violations.requiredProbes.parameters.probes[0]π£
Type: string
"readinessProbe"
violations.requiredProbes.parameters.probes[1]π£
Type: string
"livenessProbe"
violations.requiredProbes.parameters.excludedResourcesπ£
Type: list
[]
Default value (formatted)
[]
violations.restrictedTaint.enabledπ£
Type: bool
true
violations.restrictedTaint.enforcementActionπ£
Type: string
"deny"
violations.restrictedTaint.kindπ£
Type: string
"RestrictedTaintToleration"
violations.restrictedTaint.nameπ£
Type: string
"restricted-taint"
violations.restrictedTaint.matchπ£
Type: object
{}
Default value (formatted)
{}
violations.restrictedTaint.parameters.allowGlobalTolerationπ£
Type: bool
false
violations.restrictedTaint.parameters.restrictedTaint.effectπ£
Type: string
"NoSchedule"
violations.restrictedTaint.parameters.restrictedTaint.keyπ£
Type: string
"privileged"
violations.restrictedTaint.parameters.restrictedTaint.valueπ£
Type: string
"true"
violations.restrictedTaint.parameters.excludedResourcesπ£
Type: list
[]
Default value (formatted)
[]
violations.selinuxPolicy.enabledπ£
Type: bool
true
violations.selinuxPolicy.enforcementActionπ£
Type: string
"deny"
violations.selinuxPolicy.kindπ£
Type: string
"K8sPSPSELinuxV2"
violations.selinuxPolicy.nameπ£
Type: string
"selinux-policy"
violations.selinuxPolicy.matchπ£
Type: object
{}
Default value (formatted)
{}
violations.selinuxPolicy.parameters.allowedSELinuxOptionsπ£
Type: list
[]
Default value (formatted)
[]
violations.selinuxPolicy.parameters.excludedResourcesπ£
Type: list
[]
Default value (formatted)
[]
violations.uniqueIngressHost.enabledπ£
Type: bool
true
violations.uniqueIngressHost.enforcementActionπ£
Type: string
"deny"
violations.uniqueIngressHost.kindπ£
Type: string
"K8sUniqueIngressHost"
violations.uniqueIngressHost.nameπ£
Type: string
"unique-ingress-hosts"
violations.uniqueIngressHost.matchπ£
Type: object
{}
Default value (formatted)
{}
violations.uniqueIngressHost.parameters.excludedResourcesπ£
Type: list
[]
Default value (formatted)
[]
violations.volumeTypes.enabledπ£
Type: bool
true
violations.volumeTypes.enforcementActionπ£
Type: string
"deny"
violations.volumeTypes.kindπ£
Type: string
"K8sPSPVolumeTypes"
violations.volumeTypes.nameπ£
Type: string
"volume-types"
violations.volumeTypes.matchπ£
Type: object
{}
Default value (formatted)
{}
violations.volumeTypes.parameters.volumes[0]π£
Type: string
"configMap"
violations.volumeTypes.parameters.volumes[1]π£
Type: string
"emptyDir"
violations.volumeTypes.parameters.volumes[2]π£
Type: string
"projected"
violations.volumeTypes.parameters.volumes[3]π£
Type: string
"secret"
violations.volumeTypes.parameters.volumes[4]π£
Type: string
"downwardAPI"
violations.volumeTypes.parameters.volumes[5]π£
Type: string
"persistentVolumeClaim"
violations.volumeTypes.parameters.excludedResourcesπ£
Type: list
[]
Default value (formatted)
[]
monitoring.enabledπ£
Type: bool
false
networkPolicies.enabledπ£
Type: bool
false
networkPolicies.controlPlaneCidrπ£
Type: string
"0.0.0.0/0"
bbtests.enabledπ£
Type: bool
false
bbtests.scripts.imageπ£
Type: string
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.22.2"
bbtests.scripts.additionalVolumeMounts[0].nameπ£
Type: string
"{{ .Chart.Name }}-test-config"
bbtests.scripts.additionalVolumeMounts[0].mountPathπ£
Type: string
"/yaml"
bbtests.scripts.additionalVolumeMounts[1].nameπ£
Type: string
"{{ .Chart.Name }}-kube-cache"
bbtests.scripts.additionalVolumeMounts[1].mountPathπ£
Type: string
"/.kube/cache"
bbtests.scripts.additionalVolumes[0].nameπ£
Type: string
"{{ .Chart.Name }}-test-config"
bbtests.scripts.additionalVolumes[0].configMap.nameπ£
Type: string
"{{ .Chart.Name }}-test-config"
bbtests.scripts.additionalVolumes[1].nameπ£
Type: string
"{{ .Chart.Name }}-kube-cache"
bbtests.scripts.additionalVolumes[1].emptyDirπ£
Type: object
{}
Default value (formatted)
{}