kyverno values.yaml
💣
nameOverride💣
Type: string
nil
Description: Override the name of the chart
fullnameOverride💣
Type: string
nil
Description: Override the expanded name of the chart
namespace💣
Type: string
nil
Description: Namespace the chart deploys to
customLabels💣
Type: object
{}
Default value (formatted)
{}
Description: Additional labels
rbac.create💣
Type: bool
true
Description: Create ClusterRoles, ClusterRoleBindings, and ServiceAccount
rbac.serviceAccount.create💣
Type: bool
true
Description: Create a ServiceAccount
rbac.serviceAccount.name💣
Type: string
nil
Description: The ServiceAccount name
rbac.serviceAccount.annotations💣
Type: object
{}
Default value (formatted)
{}
Description: Annotations for the ServiceAccount
image.repository💣
Type: string
"registry1.dso.mil/ironbank/nirmata/kyverno"
Description: Image repository
image.tag💣
Type: string
nil
Description: Image tag Defaults to appVersion in Chart.yaml if omitted
image.pullPolicy💣
Type: string
"IfNotPresent"
Description: Image pull policy
image.pullSecrets💣
Type: list
[]
Default value (formatted)
[]
Description: Image pull secrets
initImage.repository💣
Type: string
"registry1.dso.mil/ironbank/nirmata/kyvernopre"
Description: Image repository
initImage.tag💣
Type: string
nil
Description: Image tag If initImage.tag is missing, defaults to image.tag
initImage.pullPolicy💣
Type: string
nil
Description: Image pull policy If initImage.pullPolicy is missing, defaults to image.pullPolicy
testImage.repository💣
Type: string
"registry1.dso.mil/ironbank/redhat/ubi/ubi8-minimal"
Description: Image repository Defaults to busybox
if omitted
testImage.tag💣
Type: float
8.6
Description: Image tag Defaults to latest
if omitted
testImage.pullPolicy💣
Type: string
nil
Description: Image pull policy Defaults to image.pullPolicy if omitted
replicaCount💣
Type: int
1
Description: Desired number of pods
podLabels💣
Type: object
{}
Default value (formatted)
{}
Description: Additional labels to add to each pod
podAnnotations💣
Type: object
{}
Default value (formatted)
{}
Description: Additional annotations to add to each pod
podSecurityContext💣
Type: object
{}
Default value (formatted)
{}
Description: Security context for the pod
securityContext💣
Type: object
{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}
Default value (formatted)
{
"allowPrivilegeEscalation": false,
"capabilities": {
"drop": [
"ALL"
]
},
"privileged": false,
"readOnlyRootFilesystem": true,
"runAsNonRoot": true,
"seccompProfile": {
"type": "RuntimeDefault"
}
}
Description: Security context for the containers
priorityClassName💣
Type: string
""
Description: Optional priority class to be used for kyverno pods
antiAffinity.enable💣
Type: bool
true
Description: Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node.
podAffinity💣
Type: object
{}
Default value (formatted)
{}
Description: Pod affinity constraints.
nodeAffinity💣
Type: object
{}
Default value (formatted)
{}
Description: Node affinity constraints.
podDisruptionBudget.minAvailable💣
Type: int
1
Description: Configures the minimum available pods for kyverno disruptions. Cannot be used if maxUnavailable
is set.
podDisruptionBudget.maxUnavailable💣
Type: string
nil
Description: Configures the maximum unavailable pods for kyverno disruptions. Cannot be used if minAvailable
is set.
nodeSelector💣
Type: object
{}
Default value (formatted)
{}
Description: Node labels for pod assignment
tolerations💣
Type: list
[]
Default value (formatted)
[]
Description: List of node taints to tolerate
hostNetwork💣
Type: bool
false
Description: Change hostNetwork
to true
when you want the kyverno’s pod to share its host’s network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the dnsPolicy
accordingly as well to suit the host network mode.
dnsPolicy💣
Type: string
"ClusterFirst"
Description: dnsPolicy
determines the manner in which DNS resolution happens in the cluster. In case of hostNetwork: true
, usually, the dnsPolicy
is suitable to be ClusterFirstWithHostNet
. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
envVarsInit💣
Type: object
{}
Default value (formatted)
{}
Description: Env variables for initContainers.
envVars💣
Type: object
{}
Default value (formatted)
{}
Description: Env variables for containers.
extraArgs💣
Type: list
["--clientRateLimitQPS=25","--clientRateLimitBurst=50","--autogenInternals=false"]
Default value (formatted)
[
"--clientRateLimitQPS=25",
"--clientRateLimitBurst=50",
"--autogenInternals=false"
]
Description: Extra arguments to give to the binary.
imagePullSecrets💣
Type: object
{}
Default value (formatted)
{}
Description: Image pull secrets for image verify and imageData policies. This will define the --imagePullSecrets
Kyverno argument.
resources.limits💣
Type: object
{"cpu":"500m","memory":"512Mi"}
Default value (formatted)
{
"cpu": "500m",
"memory": "512Mi"
}
Description: Pod resource limits
resources.requests💣
Type: object
{"cpu":"500m","memory":"512Mi"}
Default value (formatted)
{
"cpu": "500m",
"memory": "512Mi"
}
Description: Pod resource requests
initResources.limits💣
Type: object
{"cpu":"100m","memory":"256Mi"}
Default value (formatted)
{
"cpu": "100m",
"memory": "256Mi"
}
Description: Pod resource limits
initResources.requests💣
Type: object
{"cpu":"100m","memory":"256Mi"}
Default value (formatted)
{
"cpu": "100m",
"memory": "256Mi"
}
Description: Pod resource requests
generatecontrollerExtraResources💣
Type: string
nil
excludeKyvernoNamespace💣
Type: bool
true
Description: Exclude Kyverno namespace Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters
config.existingConfig💣
Type: string
""
Description: Name of an existing config map (ignores default/provided resourceFilters)
config.excludeGroupRole💣
Type: string
nil
Description: Exclude group role
config.excludeUsername💣
Type: string
nil
Description: Exclude username
config.webhooks💣
Type: string
nil
Description: Defines the namespaceSelector
in the webhook configurations. Note that it takes a list of namespaceSelector
and/or objectSelector
in the JSON format, and only the first element will be forwarded to the webhook configurations. The Kyverno namespace is excluded if excludeKyvernoNamespace
is true
(default)
config.generateSuccessEvents💣
Type: bool
false
Description: Generate success events.
config.metricsConfig💣
Type: object
{"namespaces":{"exclude":[],"include":[]}}
Default value (formatted)
{
"namespaces": {
"exclude": [],
"include": []
}
}
Description: Metrics config.
service.port💣
Type: int
443
Description: Service port.
service.type💣
Type: string
"ClusterIP"
Description: Service type.
service.nodePort💣
Type: string
nil
Description: Service node port. Only used if service.type
is NodePort
.
service.annotations💣
Type: object
{}
Default value (formatted)
{}
Description: Service annotations.
topologySpreadConstraints💣
Type: list
[]
Default value (formatted)
[]
Description: Topology spread constraints.
metricsService.create💣
Type: bool
true
Description: Create service.
metricsService.port💣
Type: int
8000
Description: Service port. Kyverno’s metrics server will be exposed at this port.
metricsService.type💣
Type: string
"ClusterIP"
Description: Service type.
metricsService.nodePort💣
Type: string
nil
Description: Service node port. Only used if metricsService.type
is NodePort
.
metricsService.annotations💣
Type: object
{}
Default value (formatted)
{}
Description: Service annotations.
serviceMonitor.enabled💣
Type: bool
false
Description: Create a ServiceMonitor
to collect Prometheus metrics.
serviceMonitor.additionalLabels💣
Type: string
nil
Description: Additional labels
serviceMonitor.namespace💣
Type: string
nil
Description: Override namespace (default is the same as kyverno)
serviceMonitor.interval💣
Type: string
"30s"
Description: Interval to scrape metrics
serviceMonitor.scrapeTimeout💣
Type: string
"25s"
Description: Timeout if metrics can’t be retrieved in given time interval
serviceMonitor.secure💣
Type: bool
false
Description: Is TLS required for endpoint
serviceMonitor.tlsConfig💣
Type: object
{}
Default value (formatted)
{}
Description: TLS Configuration for endpoint
serviceMonitor.dashboards.namespace💣
Type: string
nil
serviceMonitor.dashboards.label💣
Type: string
"grafana_dashboard"
createSelfSignedCert💣
Type: bool
false
Description: Kyverno requires a certificate key pair and corresponding certificate authority to properly register its webhooks. This can be done in one of 3 ways: 1) Use kube-controller-manager to generate a CA-signed certificate (preferred) 2) Provide your own CA and cert. In this case, you will need to create a certificate with a specific name and data structure. As long as you follow the naming scheme, it will be automatically picked up. kyverno-svc.(namespace).svc.kyverno-tls-ca (with data entry named rootCA.crt) kyverno-svc.kyverno.svc.kyverno-tls-pair (with data entries named tls.key and tls.crt) 3) Let Helm generate a self signed cert, by setting createSelfSignedCert true If letting Kyverno create its own CA or providing your own, make createSelfSignedCert is false
installCRDs💣
Type: bool
true
Description: Whether to have Helm install the Kyverno CRDs. If the CRDs are not installed by Helm, they must be added before policies can be created.
networkPolicy.enabled💣
Type: bool
false
Description: When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
networkPolicy.ingressFrom💣
Type: list
[]
Default value (formatted)
[]
Description: A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
webhooksCleanup.enable💣
Type: bool
false
Description: Create a helm pre-delete hook to cleanup webhooks.
webhooksCleanup.image💣
Type: string
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.25.2"
Description: kubectl
image to run commands for deleting webhooks.
tufRootMountPath💣
Type: string
"/.sigstore"
Description: A writable volume to use for the TUF root initialization
networkPolicies.enabled💣
Type: bool
false
networkPolicies.controlPlaneCidr💣
Type: string
"0.0.0.0/0"
istio.enabled💣
Type: bool
false
openshift💣
Type: bool
false
bbtests.enabled💣
Type: bool
false
bbtests.scripts.image💣
Type: string
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.25.2"
bbtests.scripts.additionalVolumeMounts[0].name💣
Type: string
"kyverno-bbtest-manifest"
bbtests.scripts.additionalVolumeMounts[0].mountPath💣
Type: string
"/yaml"
bbtests.scripts.additionalVolumes[0].name💣
Type: string
"kyverno-bbtest-manifest"
bbtests.scripts.additionalVolumes[0].configMap.name💣
Type: string
"kyverno-bbtest-manifest"