policy `values.yaml`💣

openshift💣

Type: bool

Default value

false

replicas💣

Type: int

Default value

auditInterval💣

Type: int

Default value

metricsBackends[0]💣

Type: string

Default value

"prometheus"

auditMatchKindOnly💣

Type: bool

Default value

true

constraintViolationsLimit💣

Type: int

Default value

auditFromCache💣

Type: bool

Default value

false

disableMutation💣

Type: bool

Default value

true

disableValidatingWebhook💣

Type: bool

Default value

false

validatingWebhookTimeoutSeconds💣

Type: int

Default value

validatingWebhookFailurePolicy💣

Type: string

Default value

"Ignore"

validatingWebhookExemptNamespacesLabels💣

Type: object

Default value

{}

Default value (formatted)

{}

validatingWebhookObjectSelector💣

Type: object

Default value

{}

Default value (formatted)

{}

validatingWebhookCheckIgnoreFailurePolicy💣

Type: string

Default value

"Fail"

validatingWebhookCustomRules💣

Type: object

Default value

{}

Default value (formatted)

{}

enableDeleteOperations💣

Type: bool

Default value

false

enableExternalData💣

Type: bool

Default value

false

enableTLSHealthcheck💣

Type: bool

Default value

false

mutatingWebhookFailurePolicy💣

Type: string

Default value

"Ignore"

mutatingWebhookReinvocationPolicy💣

Type: string

Default value

"Never"

mutatingWebhookExemptNamespacesLabels💣

Type: object

Default value

{}

Default value (formatted)

{}

mutatingWebhookObjectSelector💣

Type: object

Default value

{}

Default value (formatted)

{}

mutatingWebhookTimeoutSeconds💣

Type: int

Default value

mutatingWebhookCustomRules💣

Type: object

Default value

{}

Default value (formatted)

{}

mutationAnnotations💣

Type: bool

Default value

false

auditChunkSize💣

Type: int

Default value

logLevel💣

Type: string

Default value

"INFO"

logDenies💣

Type: bool

Default value

true

logMutations💣

Type: bool

Default value

true

emitAdmissionEvents💣

Type: bool

Default value

false

emitAuditEvents💣

Type: bool

Default value

false

resourceQuota💣

Type: bool

Default value

true

postUpgrade.labelNamespace.enabled💣

Type: bool

Default value

false

postUpgrade.labelNamespace.image.repository💣

Type: string

Default value

"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl"

postUpgrade.labelNamespace.image.tag💣

Type: string

Default value

"v1.25.2"

postUpgrade.labelNamespace.image.pullPolicy💣

Type: string

Default value

"IfNotPresent"

postUpgrade.labelNamespace.image.pullSecrets💣

Type: list

Default value

[]

Default value (formatted)

[]

postUpgrade.labelNamespace.extraNamespaces💣

Type: list

Default value

[]

Default value (formatted)

[]

postUpgrade.securityContext.allowPrivilegeEscalation💣

Type: bool

Default value

false

postUpgrade.securityContext.capabilities.drop[0]💣

Type: string

Default value

"all"

postUpgrade.securityContext.readOnlyRootFilesystem💣

Type: bool

Default value

true

postUpgrade.securityContext.runAsGroup💣

Type: int

Default value

postUpgrade.securityContext.runAsNonRoot💣

Type: bool

Default value

true

postUpgrade.securityContext.runAsUser💣

Type: int

Default value

postInstall.labelNamespace.extraRules💣

Type: list

Default value

[]

Default value (formatted)

[]

postInstall.labelNamespace.enabled💣

Type: bool

Default value

true

postInstall.labelNamespace.image.repository💣

Type: string

Default value

"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl"

postInstall.labelNamespace.image.tag💣

Type: string

Default value

"v1.25.2"

postInstall.labelNamespace.image.pullPolicy💣

Type: string

Default value

"IfNotPresent"

postInstall.labelNamespace.image.pullSecrets💣

Type: list

Default value

[]

Default value (formatted)

[]

postInstall.labelNamespace.extraNamespaces💣

Type: list

Default value

[]

Default value (formatted)

[]

postInstall.probeWebhook.enabled💣

Type: bool

Default value

true

postInstall.probeWebhook.image.repository💣

Type: string

Default value

"registry1.dso.mil/ironbank/big-bang/base"

postInstall.probeWebhook.image.tag💣

Type: string

Default value

"2.0.0"

postInstall.probeWebhook.image.pullPolicy💣

Type: string

Default value

"IfNotPresent"

postInstall.probeWebhook.image.pullSecrets💣

Type: list

Default value

[]

Default value (formatted)

[]

postInstall.probeWebhook.waitTimeout💣

Type: int

Default value

postInstall.probeWebhook.httpTimeout💣

Type: int

Default value

postInstall.probeWebhook.insecureHTTPS💣

Type: bool

Default value

false

postInstall.securityContext.allowPrivilegeEscalation💣

Type: bool

Default value

false

postInstall.securityContext.capabilities.drop[0]💣

Type: string

Default value

"all"

postInstall.securityContext.readOnlyRootFilesystem💣

Type: bool

Default value

true

postInstall.securityContext.runAsGroup💣

Type: int

Default value

postInstall.securityContext.runAsNonRoot💣

Type: bool

Default value

true

postInstall.securityContext.runAsUser💣

Type: int

Default value

preUninstall.deleteWebhookConfigurations.extraRules💣

Type: list

Default value

[]

Default value (formatted)

[]

preUninstall.deleteWebhookConfigurations.enabled💣

Type: bool

Default value

false

preUninstall.deleteWebhookConfigurations.image.repository💣

Type: string

Default value

"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl"

preUninstall.deleteWebhookConfigurations.image.tag💣

Type: string

Default value

"v1.25.2"

preUninstall.deleteWebhookConfigurations.image.pullPolicy💣

Type: string

Default value

"IfNotPresent"

preUninstall.deleteWebhookConfigurations.image.pullSecrets💣

Type: list

Default value

[]

Default value (formatted)

[]

preUninstall.securityContext.allowPrivilegeEscalation💣

Type: bool

Default value

false

preUninstall.securityContext.capabilities.drop[0]💣

Type: string

Default value

"all"

preUninstall.securityContext.readOnlyRootFilesystem💣

Type: bool

Default value

true

preUninstall.securityContext.runAsGroup💣

Type: int

Default value

preUninstall.securityContext.runAsNonRoot💣

Type: bool

Default value

true

preUninstall.securityContext.runAsUser💣

Type: int

Default value

image.repository💣

Type: string

Default value

"registry1.dso.mil/ironbank/opensource/openpolicyagent/gatekeeper"

image.release💣

Type: string

Default value

"v3.9.0"

image.pullPolicy💣

Type: string

Default value

"IfNotPresent"

image.pullSecrets[0].name💣

Type: string

Default value

"private-registry"

image.crdRepository💣

Type: string

Default value

"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl"

image.crdRelease💣

Type: string

Default value

"v1.25.2"

podAnnotations.”container.seccomp.security.alpha.kubernetes.io/manager”💣

Type: string

Default value

"runtime/default"

podLabels💣

Type: object

Default value

{}

Default value (formatted)

{}

podCountLimit💣

Type: int

Default value

secretAnnotations💣

Type: object

Default value

{}

Default value (formatted)

{}

enableRuntimeDefaultSeccompProfile💣

Type: bool

Default value

true

controllerManager.exemptNamespaces💣

Type: list

Default value

[]

Default value (formatted)

[]

controllerManager.exemptNamespacePrefixes💣

Type: list

Default value

[]

Default value (formatted)

[]

controllerManager.hostNetwork💣

Type: bool

Default value

false

controllerManager.dnsPolicy💣

Type: string

Default value

"ClusterFirst"

controllerManager.port💣

Type: int

Default value

controllerManager.metricsPort💣

Type: int

Default value

controllerManager.healthPort💣

Type: int

Default value

controllerManager.priorityClassName💣

Type: string

Default value

"system-cluster-critical"

controllerManager.disableCertRotation💣

Type: bool

Default value

false

controllerManager.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.labelSelector.matchExpressions[0].key💣

Type: string

Default value

"gatekeeper.sh/operation"

controllerManager.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.labelSelector.matchExpressions[0].operator💣

Type: string

Default value

"In"

controllerManager.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.labelSelector.matchExpressions[0].values[0]💣

Type: string

Default value

"webhook"

controllerManager.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.topologyKey💣

Type: string

Default value

"kubernetes.io/hostname"

controllerManager.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].weight💣

Type: int

Default value

controllerManager.tolerations💣

Type: list

Default value

[]

Default value (formatted)

[]

controllerManager.nodeSelector.”kubernetes.io/os”💣

Type: string

Default value

"linux"

controllerManager.resources.limits.cpu💣

Type: string

Default value

"175m"

controllerManager.resources.limits.memory💣

Type: string

Default value

"512Mi"

controllerManager.resources.requests.cpu💣

Type: string

Default value

"175m"

controllerManager.resources.requests.memory💣

Type: string

Default value

"512Mi"

controllerManager.securityContext.allowPrivilegeEscalation💣

Type: bool

Default value

false

controllerManager.securityContext.capabilities.drop[0]💣

Type: string

Default value

"all"

controllerManager.securityContext.readOnlyRootFilesystem💣

Type: bool

Default value

true

controllerManager.securityContext.runAsGroup💣

Type: int

Default value

controllerManager.securityContext.runAsNonRoot💣

Type: bool

Default value

true

controllerManager.securityContext.runAsUser💣

Type: int

Default value

controllerManager.podSecurityContext.fsGroup💣

Type: int

Default value

controllerManager.podSecurityContext.supplementalGroups[0]💣

Type: int

Default value

controllerManager.extraRules💣

Type: list

Default value

[]

Default value (formatted)

[]

audit.hostNetwork💣

Type: bool

Default value

false

audit.dnsPolicy💣

Type: string

Default value

"ClusterFirst"

audit.metricsPort💣

Type: int

Default value

audit.healthPort💣

Type: int

Default value

audit.priorityClassName💣

Type: string

Default value

"system-cluster-critical"

audit.disableCertRotation💣

Type: bool

Default value

true

audit.affinity💣

Type: object

Default value

{}

Default value (formatted)

{}

audit.tolerations💣

Type: list

Default value

[]

Default value (formatted)

[]

audit.nodeSelector.”kubernetes.io/os”💣

Type: string

Default value

"linux"

audit.writeToRAMDisk💣

Type: bool

Default value

false

audit.resources.limits.cpu💣

Type: float

Default value

1.2

audit.resources.limits.memory💣

Type: string

Default value

"768Mi"

audit.resources.requests.cpu💣

Type: float

Default value

1.2

audit.resources.requests.memory💣

Type: string

Default value

"768Mi"

audit.securityContext.allowPrivilegeEscalation💣

Type: bool

Default value

false

audit.securityContext.capabilities.drop[0]💣

Type: string

Default value

"all"

audit.securityContext.readOnlyRootFilesystem💣

Type: bool

Default value

true

audit.securityContext.runAsGroup💣

Type: int

Default value

audit.securityContext.runAsNonRoot💣

Type: bool

Default value

true

audit.securityContext.runAsUser💣

Type: int

Default value

audit.podSecurityContext.fsGroup💣

Type: int

Default value

audit.podSecurityContext.supplementalGroups[0]💣

Type: int

Default value

audit.extraRules💣

Type: list

Default value

[]

Default value (formatted)

[]

crds.resources💣

Type: object

Default value

{}

Default value (formatted)

{}

crds.securityContext.allowPrivilegeEscalation💣

Type: bool

Default value

false

crds.securityContext.capabilities.drop[0]💣

Type: string

Default value

"all"

crds.securityContext.readOnlyRootFilesystem💣

Type: bool

Default value

true

crds.securityContext.runAsGroup💣

Type: int

Default value

crds.securityContext.runAsNonRoot💣

Type: bool

Default value

true

crds.securityContext.runAsUser💣

Type: int

Default value

pdb.controllerManager.minAvailable💣

Type: int

Default value

service💣

Type: object

Default value

{}

Default value (formatted)

{}

disabledBuiltins[0]💣

Type: string

Default value

"{http.send}"

psp.enabled💣

Type: bool

Default value

false

upgradeCRDs.enabled💣

Type: bool

Default value

true

upgradeCRDs.tolerations💣

Type: list

Default value

[]

Default value (formatted)

[]

upgradeCRDs.extraRules💣

Type: list

Default value

[]

Default value (formatted)

[]

cleanupCRDs.enabled💣

Type: bool

Default value

true

rbac.create💣

Type: bool

Default value

true

violations.allowedAppArmorProfiles.enabled💣

Type: bool

Default value

false

violations.allowedAppArmorProfiles.enforcementAction💣

Type: string

Default value

"dryrun"

violations.allowedAppArmorProfiles.kind💣

Type: string

Default value

"K8sPSPAppArmor"

violations.allowedAppArmorProfiles.name💣

Type: string

Default value

"allowed-app-armor-profiles"

violations.allowedAppArmorProfiles.match💣

Type: object

Default value

{}

Default value (formatted)

{}

violations.allowedAppArmorProfiles.parameters.allowedProfiles[0]💣

Type: string

Default value

"runtime/default"

violations.allowedAppArmorProfiles.parameters.excludedResources💣

Type: list

Default value

[]

Default value (formatted)

[]

violations.allowedCapabilities.enabled💣

Type: bool

Default value

true

violations.allowedCapabilities.enforcementAction💣

Type: string

Default value

"dryrun"

violations.allowedCapabilities.kind💣

Type: string

Default value

"K8sPSPCapabilities"

violations.allowedCapabilities.name💣

Type: string

Default value

"allowed-capabilities"

violations.allowedCapabilities.match💣

Type: object

Default value

{}

Default value (formatted)

{}

violations.allowedCapabilities.parameters.allowedCapabilities💣

Type: list

Default value

[]

Default value (formatted)

[]

violations.allowedCapabilities.parameters.requiredDropCapabilities[0]💣

Type: string

Default value

"all"

violations.allowedCapabilities.parameters.excludedResources💣

Type: list

Default value

[]

Default value (formatted)

[]

violations.allowedDockerRegistries.enabled💣

Type: bool

Default value

true

violations.allowedDockerRegistries.enforcementAction💣

Type: string

Default value

"deny"

violations.allowedDockerRegistries.kind💣

Type: string

Default value

"K8sAllowedRepos"

violations.allowedDockerRegistries.name💣

Type: string

Default value

"allowed-docker-registries"

violations.allowedDockerRegistries.match💣

Type: object

Default value

{}

Default value (formatted)

{}

violations.allowedDockerRegistries.parameters.repos[0]💣

Type: string

Default value

"registry1.dso.mil"

violations.allowedDockerRegistries.parameters.excludedResources💣

Type: list

Default value

[]

Default value (formatted)

[]

violations.allowedFlexVolumes.enabled💣

Type: bool

Default value

true

violations.allowedFlexVolumes.enforcementAction💣

Type: string

Default value

"deny"

violations.allowedFlexVolumes.kind💣

Type: string

Default value

"K8sPSPFlexVolumes"

violations.allowedFlexVolumes.name💣

Type: string

Default value

"allowed-flex-volumes"

violations.allowedFlexVolumes.match💣

Type: object

Default value

{}

Default value (formatted)

{}

violations.allowedFlexVolumes.parameters.allowedFlexVolumes💣

Type: list

Default value

[]

Default value (formatted)

[]

violations.allowedFlexVolumes.parameters.excludedResources💣

Type: list

Default value

[]

Default value (formatted)

[]

violations.allowedHostFilesystem.enabled💣

Type: bool

Default value

true

violations.allowedHostFilesystem.enforcementAction💣

Type: string

Default value

"deny"

violations.allowedHostFilesystem.kind💣

Type: string

Default value

"K8sPSPHostFilesystem"

violations.allowedHostFilesystem.name💣

Type: string

Default value

"allowed-host-filesystem"

violations.allowedHostFilesystem.match💣

Type: object

Default value

{}

Default value (formatted)

{}

violations.allowedHostFilesystem.parameters.allowedHostPaths💣

Type: list

Default value

[]

Default value (formatted)

[]

violations.allowedHostFilesystem.parameters.excludedResources💣

Type: list

Default value

[]

Default value (formatted)

[]

violations.allowedIPs.enabled💣

Type: bool

Default value

true

violations.allowedIPs.enforcementAction💣

Type: string

Default value

"deny"

violations.allowedIPs.kind💣

Type: string

Default value

"K8sExternalIPs"

violations.allowedIPs.name💣

Type: string

Default value

"allowed-ips"

violations.allowedIPs.match💣

Type: object

Default value

{}

Default value (formatted)

{}

violations.allowedIPs.parameters.allowedIPs💣

Type: list

Default value

[]

Default value (formatted)

[]

violations.allowedIPs.parameters.excludedResources💣

Type: list

Default value

[]

Default value (formatted)

[]

violations.allowedProcMount.enabled💣

Type: bool

Default value

true

violations.allowedProcMount.enforcementAction💣

Type: string

Default value

"deny"

violations.allowedProcMount.kind💣

Type: string

Default value

"K8sPSPProcMount"

violations.allowedProcMount.name💣

Type: string

Default value

"allowed-proc-mount"

violations.allowedProcMount.match💣

Type: object

Default value

{}

Default value (formatted)

{}

violations.allowedProcMount.parameters.procMount💣

Type: string

Default value

"Default"

violations.allowedProcMount.parameters.excludedResources💣

Type: list

Default value

[]

Default value (formatted)

[]

violations.allowedSecCompProfiles.enabled💣

Type: bool

Default value

true

violations.allowedSecCompProfiles.enforcementAction💣

Type: string

Default value

"dryrun"

violations.allowedSecCompProfiles.kind💣

Type: string

Default value

"K8sPSPSeccomp"

violations.allowedSecCompProfiles.name💣

Type: string

Default value

"allowed-sec-comp-profiles"

violations.allowedSecCompProfiles.match💣

Type: object

Default value

{}

Default value (formatted)

{}

violations.allowedSecCompProfiles.parameters.allowedProfiles[0]💣

Type: string

Default value

"runtime/default"

violations.allowedSecCompProfiles.parameters.excludedResources💣

Type: list

Default value

[]

Default value (formatted)

[]

violations.allowedUsers.enabled💣

Type: bool

Default value

true

violations.allowedUsers.enforcementAction💣

Type: string

Default value

"dryrun"

violations.allowedUsers.kind💣

Type: string

Default value

"K8sPSPAllowedUsers"

violations.allowedUsers.name💣

Type: string

Default value

"allowed-users"

violations.allowedUsers.match💣

Type: object

Default value

{}

Default value (formatted)

{}

violations.allowedUsers.parameters.runAsUser.rule💣

Type: string

Default value

"MustRunAsNonRoot"

violations.allowedUsers.parameters.fsGroup.rule💣

Type: string

Default value

"MustRunAs"

violations.allowedUsers.parameters.fsGroup.ranges[0].min💣

Type: int

Default value

violations.allowedUsers.parameters.fsGroup.ranges[0].max💣

Type: int

Default value

violations.allowedUsers.parameters.runAsGroup.rule💣

Type: string

Default value

"MustRunAs"

violations.allowedUsers.parameters.runAsGroup.ranges[0].min💣

Type: int

Default value

violations.allowedUsers.parameters.runAsGroup.ranges[0].max💣

Type: int

Default value

violations.allowedUsers.parameters.supplementalGroups.rule💣

Type: string

Default value

"MustRunAs"

violations.allowedUsers.parameters.supplementalGroups.ranges[0].min💣

Type: int

Default value

violations.allowedUsers.parameters.supplementalGroups.ranges[0].max💣

Type: int

Default value

violations.allowedUsers.parameters.excludedResources💣

Type: list

Default value

[]

Default value (formatted)

[]

violations.bannedImageTags.enabled💣

Type: bool

Default value

true

violations.bannedImageTags.enforcementAction💣

Type: string

Default value

"deny"

violations.bannedImageTags.kind💣

Type: string

Default value

"K8sBannedImageTags"

violations.bannedImageTags.name💣

Type: string

Default value

"banned-image-tags"

violations.bannedImageTags.match💣

Type: object

Default value

{}

Default value (formatted)

{}

violations.bannedImageTags.parameters.tags[0]💣

Type: string

Default value

"latest"

violations.bannedImageTags.parameters.excludedResources💣

Type: list

Default value

[]

Default value (formatted)

[]

violations.blockNodePort.enabled💣

Type: bool

Default value

true

violations.blockNodePort.enforcementAction💣

Type: string

Default value

"dryrun"

violations.blockNodePort.kind💣

Type: string

Default value

"K8sBlockNodePort"

violations.blockNodePort.name💣

Type: string

Default value

"block-node-ports"

violations.blockNodePort.match💣

Type: object

Default value

{}

Default value (formatted)

{}

violations.blockNodePort.parameters.excludedResources💣

Type: list

Default value

[]

Default value (formatted)

[]

violations.containerRatio.enabled💣

Type: bool

Default value

true

violations.containerRatio.enforcementAction💣

Type: string

Default value

"dryrun"

violations.containerRatio.kind💣

Type: string

Default value

"K8sContainerRatios"

violations.containerRatio.name💣

Type: string

Default value

"container-ratios"

violations.containerRatio.match💣

Type: object

Default value

{}

Default value (formatted)

{}

violations.containerRatio.parameters.ratio💣

Type: string

Default value

"2"

violations.containerRatio.parameters.excludedResources💣

Type: list

Default value

[]

Default value (formatted)

[]

violations.hostNetworking.enabled💣

Type: bool

Default value

true

violations.hostNetworking.enforcementAction💣

Type: string

Default value

"deny"

violations.hostNetworking.kind💣

Type: string

Default value

"K8sPSPHostNetworkingPorts"

violations.hostNetworking.name💣

Type: string

Default value

"host-networking"

violations.hostNetworking.match💣

Type: object

Default value

{}

Default value (formatted)

{}

violations.hostNetworking.parameters.hostNetwork💣

Type: bool

Default value

false

violations.hostNetworking.parameters.min💣

Type: int

Default value

violations.hostNetworking.parameters.max💣

Type: int

Default value

violations.hostNetworking.parameters.excludedResources💣

Type: list

Default value

[]

Default value (formatted)

[]

violations.httpsOnly.enabled💣

Type: bool

Default value

true

violations.httpsOnly.enforcementAction💣

Type: string

Default value

"deny"

violations.httpsOnly.kind💣

Type: string

Default value

"K8sHttpsOnly2"

violations.httpsOnly.name💣

Type: string

Default value

"https-only"

violations.httpsOnly.match💣

Type: object

Default value

{}

Default value (formatted)

{}

violations.httpsOnly.parameters.excludedResources💣

Type: list

Default value

[]

Default value (formatted)

[]

violations.imageDigest.enabled💣

Type: bool

Default value

true

violations.imageDigest.enforcementAction💣

Type: string

Default value

"dryrun"

violations.imageDigest.kind💣

Type: string

Default value

"K8sImageDigests2"

violations.imageDigest.name💣

Type: string

Default value

"image-digest"

violations.imageDigest.match💣

Type: object

Default value

{}

Default value (formatted)

{}

violations.imageDigest.parameters.excludedResources💣

Type: list

Default value

[]

Default value (formatted)

[]

violations.namespacesHaveIstio.enabled💣

Type: bool

Default value

true

violations.namespacesHaveIstio.enforcementAction💣

Type: string

Default value

"dryrun"

violations.namespacesHaveIstio.kind💣

Type: string

Default value

"K8sRequiredLabelValues"

violations.namespacesHaveIstio.name💣

Type: string

Default value

"namespaces-have-istio"

violations.namespacesHaveIstio.match.namespaceSelector.matchExpressions[0].key💣

Type: string

Default value

"admission.gatekeeper.sh/ignore"

violations.namespacesHaveIstio.match.namespaceSelector.matchExpressions[0].operator💣

Type: string

Default value

"DoesNotExist"

violations.namespacesHaveIstio.parameters.labels[0].allowedRegex💣

Type: string

Default value

"^enabled"

violations.namespacesHaveIstio.parameters.labels[0].key💣

Type: string

Default value

"istio-injection"

violations.namespacesHaveIstio.parameters.excludedResources💣

Type: list

Default value

[]

Default value (formatted)

[]

violations.noBigContainers.enabled💣

Type: bool

Default value

true

violations.noBigContainers.enforcementAction💣

Type: string

Default value

"dryrun"

violations.noBigContainers.kind💣

Type: string

Default value

"K8sContainerLimits"

violations.noBigContainers.name💣

Type: string

Default value

"no-big-container"

violations.noBigContainers.match💣

Type: object

Default value

{}

Default value (formatted)

{}

violations.noBigContainers.parameters.cpu💣

Type: string

Default value

"2000m"

violations.noBigContainers.parameters.memory💣

Type: string

Default value

"4G"

violations.noBigContainers.parameters.excludedResources💣

Type: list

Default value

[]

Default value (formatted)

[]

violations.noHostNamespace.enabled💣

Type: bool

Default value

true

violations.noHostNamespace.enforcementAction💣

Type: string

Default value

"deny"

violations.noHostNamespace.kind💣

Type: string

Default value

"K8sPSPHostNamespace2"

violations.noHostNamespace.name💣

Type: string

Default value

"no-host-namespace"

violations.noHostNamespace.match💣

Type: object

Default value

{}

Default value (formatted)

{}

violations.noHostNamespace.parameters.excludedResources💣

Type: list

Default value

[]

Default value (formatted)

[]

violations.noPrivilegedContainers.enabled💣

Type: bool

Default value

true

violations.noPrivilegedContainers.enforcementAction💣

Type: string

Default value

"deny"

violations.noPrivilegedContainers.kind💣

Type: string

Default value

"K8sPSPPrivilegedContainer2"

violations.noPrivilegedContainers.name💣

Type: string

Default value

"no-privileged-containers"

violations.noPrivilegedContainers.match💣

Type: object

Default value

{}

Default value (formatted)

{}

violations.noPrivilegedContainers.parameters.excludedResources💣

Type: list

Default value

[]

Default value (formatted)

[]

violations.noDefaultServiceAccount.enabled💣

Type: bool

Default value

true

violations.noDefaultServiceAccount.enforcementAction💣

Type: string

Default value

"dryrun"

violations.noDefaultServiceAccount.kind💣

Type: string

Default value

"K8sDenySADefault"

violations.noDefaultServiceAccount.name💣

Type: string

Default value

"no-default-service-account"

violations.noDefaultServiceAccount.match💣

Type: object

Default value

{}

Default value (formatted)

{}

violations.noDefaultServiceAccount.parameters.excludedResources💣

Type: list

Default value

[]

Default value (formatted)

[]

violations.noPrivilegedEscalation.enabled💣

Type: bool

Default value

true

violations.noPrivilegedEscalation.enforcementAction💣

Type: string

Default value

"dryrun"

violations.noPrivilegedEscalation.kind💣

Type: string

Default value

"K8sPSPAllowPrivilegeEscalationContainer2"

violations.noPrivilegedEscalation.name💣

Type: string

Default value

"no-privileged-escalation"

violations.noPrivilegedEscalation.match💣

Type: object

Default value

{}

Default value (formatted)

{}

violations.noPrivilegedEscalation.parameters.excludedResources💣

Type: list

Default value

[]

Default value (formatted)

[]

violations.noSysctls.enabled💣

Type: bool

Default value

true

violations.noSysctls.enforcementAction💣

Type: string

Default value

"deny"

violations.noSysctls.kind💣

Type: string

Default value

"K8sPSPForbiddenSysctls"

violations.noSysctls.name💣

Type: string

Default value

"no-sysctls"

violations.noSysctls.match💣

Type: object

Default value

{}

Default value (formatted)

{}

violations.noSysctls.parameters.forbiddenSysctls[0]💣

Type: string

Default value

"*"

violations.noSysctls.parameters.excludedResources💣

Type: list

Default value

[]

Default value (formatted)

[]

violations.podsHaveIstio.enabled💣

Type: bool

Default value

true

violations.podsHaveIstio.enforcementAction💣

Type: string

Default value

"dryrun"

violations.podsHaveIstio.kind💣

Type: string

Default value

"K8sNoAnnotationValues"

violations.podsHaveIstio.name💣

Type: string

Default value

"pods-have-istio"

violations.podsHaveIstio.match💣

Type: object

Default value

{}

Default value (formatted)

{}

violations.podsHaveIstio.parameters.annotations[0].disallowedRegex💣

Type: string

Default value

"^false"

violations.podsHaveIstio.parameters.annotations[0].key💣

Type: string

Default value

"sidecar.istio.io/inject"

violations.podsHaveIstio.parameters.excludedResources💣

Type: list

Default value

[]

Default value (formatted)

[]

violations.readOnlyRoot.enabled💣

Type: bool

Default value

true

violations.readOnlyRoot.enforcementAction💣

Type: string

Default value

"dryrun"

violations.readOnlyRoot.kind💣

Type: string

Default value

"K8sPSPReadOnlyRootFilesystem2"

violations.readOnlyRoot.name💣

Type: string

Default value

"read-only-root"

violations.readOnlyRoot.match💣

Type: object

Default value

{}

Default value (formatted)

{}

violations.readOnlyRoot.parameters.excludedResources💣

Type: list

Default value

[]

Default value (formatted)

[]

violations.requiredLabels.enabled💣

Type: bool

Default value

true

violations.requiredLabels.enforcementAction💣

Type: string

Default value

"dryrun"

violations.requiredLabels.kind💣

Type: string

Default value

"K8sRequiredLabelValues"

violations.requiredLabels.name💣

Type: string

Default value

"required-labels"

violations.requiredLabels.match💣

Type: object

Default value

{}

Default value (formatted)

{}

violations.requiredLabels.parameters.labels[0].allowedRegex💣

Type: string

Default value

""

violations.requiredLabels.parameters.labels[0].key💣

Type: string

Default value

"app.kubernetes.io/name"

violations.requiredLabels.parameters.labels[1].allowedRegex💣

Type: string

Default value

""

violations.requiredLabels.parameters.labels[1].key💣

Type: string

Default value

"app.kubernetes.io/instance"

violations.requiredLabels.parameters.labels[2].allowedRegex💣

Type: string

Default value

""

violations.requiredLabels.parameters.labels[2].key💣

Type: string

Default value

"app.kubernetes.io/version"

violations.requiredLabels.parameters.labels[3].allowedRegex💣

Type: string

Default value

""

violations.requiredLabels.parameters.labels[3].key💣

Type: string

Default value

"app.kubernetes.io/component"

violations.requiredLabels.parameters.labels[4].allowedRegex💣

Type: string

Default value

""

violations.requiredLabels.parameters.labels[4].key💣

Type: string

Default value

"app.kubernetes.io/part-of"

violations.requiredLabels.parameters.labels[5].allowedRegex💣

Type: string

Default value

""

violations.requiredLabels.parameters.labels[5].key💣

Type: string

Default value

"app.kubernetes.io/managed-by"

violations.requiredLabels.parameters.excludedResources💣

Type: list

Default value

[]

Default value (formatted)

[]

violations.requiredProbes.enabled💣

Type: bool

Default value

true

violations.requiredProbes.enforcementAction💣

Type: string

Default value

"dryrun"

violations.requiredProbes.kind💣

Type: string

Default value

"K8sRequiredProbes"

violations.requiredProbes.name💣

Type: string

Default value

"required-probes"

violations.requiredProbes.match💣

Type: object

Default value

{}

Default value (formatted)

{}

violations.requiredProbes.parameters.probeTypes[0]💣

Type: string

Default value

"tcpSocket"

violations.requiredProbes.parameters.probeTypes[1]💣

Type: string

Default value

"httpGet"

violations.requiredProbes.parameters.probeTypes[2]💣

Type: string

Default value

"exec"

violations.requiredProbes.parameters.probes[0]💣

Type: string

Default value

"readinessProbe"

violations.requiredProbes.parameters.probes[1]💣

Type: string

Default value

"livenessProbe"

violations.requiredProbes.parameters.excludedResources💣

Type: list

Default value

[]

Default value (formatted)

[]

violations.restrictedTaint.enabled💣

Type: bool

Default value

true

violations.restrictedTaint.enforcementAction💣

Type: string

Default value

"deny"

violations.restrictedTaint.kind💣

Type: string

Default value

"RestrictedTaintToleration"

violations.restrictedTaint.name💣

Type: string

Default value

"restricted-taint"

violations.restrictedTaint.match💣

Type: object

Default value

{}

Default value (formatted)

{}

violations.restrictedTaint.parameters.allowGlobalToleration💣

Type: bool

Default value

false

violations.restrictedTaint.parameters.restrictedTaint.effect💣

Type: string

Default value

"NoSchedule"

violations.restrictedTaint.parameters.restrictedTaint.key💣

Type: string

Default value

"privileged"

violations.restrictedTaint.parameters.restrictedTaint.value💣

Type: string

Default value

"true"

violations.restrictedTaint.parameters.excludedResources💣

Type: list

Default value

[]

Default value (formatted)

[]

violations.selinuxPolicy.enabled💣

Type: bool

Default value

true

violations.selinuxPolicy.enforcementAction💣

Type: string

Default value

"deny"

violations.selinuxPolicy.kind💣

Type: string

Default value

"K8sPSPSELinuxV2"

violations.selinuxPolicy.name💣

Type: string

Default value

"selinux-policy"

violations.selinuxPolicy.match💣

Type: object

Default value

{}

Default value (formatted)

{}

violations.selinuxPolicy.parameters.allowedSELinuxOptions💣

Type: list

Default value

[]

Default value (formatted)

[]

violations.selinuxPolicy.parameters.excludedResources💣

Type: list

Default value

[]

Default value (formatted)

[]

violations.uniqueIngressHost.enabled💣

Type: bool

Default value

true

violations.uniqueIngressHost.enforcementAction💣

Type: string

Default value

"deny"

violations.uniqueIngressHost.kind💣

Type: string

Default value

"K8sUniqueIngressHost"

violations.uniqueIngressHost.name💣

Type: string

Default value

"unique-ingress-hosts"

violations.uniqueIngressHost.match💣

Type: object

Default value

{}

Default value (formatted)

{}

violations.uniqueIngressHost.parameters.excludedResources💣

Type: list

Default value

[]

Default value (formatted)

[]

violations.volumeTypes.enabled💣

Type: bool

Default value

true

violations.volumeTypes.enforcementAction💣

Type: string

Default value

"deny"

violations.volumeTypes.kind💣

Type: string

Default value

"K8sPSPVolumeTypes"

violations.volumeTypes.name💣

Type: string

Default value

"volume-types"

violations.volumeTypes.match💣

Type: object

Default value

{}

Default value (formatted)

{}

violations.volumeTypes.parameters.volumes[0]💣

Type: string

Default value

"configMap"

violations.volumeTypes.parameters.volumes[1]💣

Type: string

Default value

"emptyDir"

violations.volumeTypes.parameters.volumes[2]💣

Type: string

Default value

"projected"

violations.volumeTypes.parameters.volumes[3]💣

Type: string

Default value

"secret"

violations.volumeTypes.parameters.volumes[4]💣

Type: string

Default value

"downwardAPI"

violations.volumeTypes.parameters.volumes[5]💣

Type: string

Default value

"persistentVolumeClaim"

violations.volumeTypes.parameters.excludedResources💣

Type: list

Default value

[]

Default value (formatted)

[]

monitoring.enabled💣

Type: bool

Default value

false

networkPolicies.enabled💣

Type: bool

Default value

false

networkPolicies.controlPlaneCidr💣

Type: string

Default value

"0.0.0.0/0"

bbtests.enabled💣

Type: bool

Default value

false

bbtests.scripts.image💣

Type: string

Default value

"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.25.2"

bbtests.scripts.additionalVolumeMounts[0].name💣

Type: string

Default value

"{{ .Chart.Name }}-test-config"

bbtests.scripts.additionalVolumeMounts[0].mountPath💣

Type: string

Default value

"/yaml"

bbtests.scripts.additionalVolumeMounts[1].name💣

Type: string

Default value

"{{ .Chart.Name }}-kube-cache"

bbtests.scripts.additionalVolumeMounts[1].mountPath💣

Type: string

Default value

"/.kube/cache"

bbtests.scripts.additionalVolumes[0].name💣

Type: string

Default value

"{{ .Chart.Name }}-test-config"

bbtests.scripts.additionalVolumes[0].configMap.name💣

Type: string

Default value

"{{ .Chart.Name }}-test-config"

bbtests.scripts.additionalVolumes[1].name💣

Type: string

Default value

"{{ .Chart.Name }}-kube-cache"

bbtests.scripts.additionalVolumes[1].emptyDir💣

Type: object

Default value

{}

Default value (formatted)

{}

policy values.yaml💣

openshift💣

replicas💣

auditInterval💣

metricsBackends[0]💣

auditMatchKindOnly💣

constraintViolationsLimit💣

auditFromCache💣

disableMutation💣

disableValidatingWebhook💣

validatingWebhookTimeoutSeconds💣

validatingWebhookFailurePolicy💣

validatingWebhookExemptNamespacesLabels💣

validatingWebhookObjectSelector💣

validatingWebhookCheckIgnoreFailurePolicy💣

validatingWebhookCustomRules💣

enableDeleteOperations💣

enableExternalData💣

enableTLSHealthcheck💣

mutatingWebhookFailurePolicy💣

mutatingWebhookReinvocationPolicy💣

mutatingWebhookExemptNamespacesLabels💣

mutatingWebhookObjectSelector💣

mutatingWebhookTimeoutSeconds💣

mutatingWebhookCustomRules💣

mutationAnnotations💣

auditChunkSize💣

logLevel💣

logDenies💣

logMutations💣

emitAdmissionEvents💣

emitAuditEvents💣

resourceQuota💣

postUpgrade.labelNamespace.enabled💣

postUpgrade.labelNamespace.image.repository💣

postUpgrade.labelNamespace.image.tag💣

postUpgrade.labelNamespace.image.pullPolicy💣

postUpgrade.labelNamespace.image.pullSecrets💣

postUpgrade.labelNamespace.extraNamespaces💣

postUpgrade.securityContext.allowPrivilegeEscalation💣

postUpgrade.securityContext.capabilities.drop[0]💣

postUpgrade.securityContext.readOnlyRootFilesystem💣

postUpgrade.securityContext.runAsGroup💣

postUpgrade.securityContext.runAsNonRoot💣

postUpgrade.securityContext.runAsUser💣

postInstall.labelNamespace.extraRules💣

postInstall.labelNamespace.enabled💣

postInstall.labelNamespace.image.repository💣

postInstall.labelNamespace.image.tag💣

postInstall.labelNamespace.image.pullPolicy💣

postInstall.labelNamespace.image.pullSecrets💣

postInstall.labelNamespace.extraNamespaces💣

postInstall.probeWebhook.enabled💣

postInstall.probeWebhook.image.repository💣

postInstall.probeWebhook.image.tag💣

postInstall.probeWebhook.image.pullPolicy💣

postInstall.probeWebhook.image.pullSecrets💣

postInstall.probeWebhook.waitTimeout💣

postInstall.probeWebhook.httpTimeout💣

postInstall.probeWebhook.insecureHTTPS💣

postInstall.securityContext.allowPrivilegeEscalation💣

postInstall.securityContext.capabilities.drop[0]💣

postInstall.securityContext.readOnlyRootFilesystem💣

postInstall.securityContext.runAsGroup💣

postInstall.securityContext.runAsNonRoot💣

postInstall.securityContext.runAsUser💣

preUninstall.deleteWebhookConfigurations.extraRules💣

preUninstall.deleteWebhookConfigurations.enabled💣

preUninstall.deleteWebhookConfigurations.image.repository💣

preUninstall.deleteWebhookConfigurations.image.tag💣

preUninstall.deleteWebhookConfigurations.image.pullPolicy💣

preUninstall.deleteWebhookConfigurations.image.pullSecrets💣

preUninstall.securityContext.allowPrivilegeEscalation💣

preUninstall.securityContext.capabilities.drop[0]💣

preUninstall.securityContext.readOnlyRootFilesystem💣

preUninstall.securityContext.runAsGroup💣

preUninstall.securityContext.runAsNonRoot💣

preUninstall.securityContext.runAsUser💣

image.repository💣

image.release💣

policy `values.yaml`💣