Skip to content

kyverno values.yaml💣

nameOverride💣

Type: string

Default value
nil

Description: Override the name of the chart

fullnameOverride💣

Type: string

Default value
nil

Description: Override the expanded name of the chart

namespace💣

Type: string

Default value
nil

Description: Namespace the chart deploys to

customLabels💣

Type: object

Default value
{}
Default value (formatted)
{}

Description: Additional labels

rbac.create💣

Type: bool

Default value
true

Description: Create ClusterRoles, ClusterRoleBindings, and ServiceAccount

rbac.serviceAccount.create💣

Type: bool

Default value
true

Description: Create a ServiceAccount

rbac.serviceAccount.name💣

Type: string

Default value
nil

Description: The ServiceAccount name

rbac.serviceAccount.annotations💣

Type: object

Default value
{}
Default value (formatted)
{}

Description: Annotations for the ServiceAccount

image.repository💣

Type: string

Default value
"registry1.dso.mil/ironbank/nirmata/kyverno"

Description: Image repository

image.tag💣

Type: string

Default value
nil

Description: Image tag Defaults to appVersion in Chart.yaml if omitted

image.pullPolicy💣

Type: string

Default value
"IfNotPresent"

Description: Image pull policy

image.pullSecrets💣

Type: list

Default value
[]
Default value (formatted)
[]

Description: Image pull secrets

initImage.repository💣

Type: string

Default value
"registry1.dso.mil/ironbank/nirmata/kyvernopre"

Description: Image repository

initImage.tag💣

Type: string

Default value
nil

Description: Image tag If initImage.tag is missing, defaults to image.tag

initImage.pullPolicy💣

Type: string

Default value
nil

Description: Image pull policy If initImage.pullPolicy is missing, defaults to image.pullPolicy

testImage.repository💣

Type: string

Default value
"registry1.dso.mil/ironbank/redhat/ubi/ubi8-minimal"

Description: Image repository Defaults to busybox if omitted

testImage.tag💣

Type: float

Default value
8.6

Description: Image tag Defaults to latest if omitted

testImage.pullPolicy💣

Type: string

Default value
nil

Description: Image pull policy Defaults to image.pullPolicy if omitted

replicaCount💣

Type: int

Default value
1

Description: Desired number of pods

podLabels💣

Type: object

Default value
{}
Default value (formatted)
{}

Description: Additional labels to add to each pod

podAnnotations💣

Type: object

Default value
{}
Default value (formatted)
{}

Description: Additional annotations to add to each pod

podSecurityContext💣

Type: object

Default value
{}
Default value (formatted)
{}

Description: Security context for the pod

securityContext💣

Type: object

Default value
{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}
Default value (formatted)
{
  "allowPrivilegeEscalation": false,
  "capabilities": {
    "drop": [
      "ALL"
    ]
  },
  "privileged": false,
  "readOnlyRootFilesystem": true,
  "runAsNonRoot": true,
  "seccompProfile": {
    "type": "RuntimeDefault"
  }
}

Description: Security context for the containers

priorityClassName💣

Type: string

Default value
""

Description: Optional priority class to be used for kyverno pods

antiAffinity.enable💣

Type: bool

Default value
true

Description: Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node.

podAffinity💣

Type: object

Default value
{}
Default value (formatted)
{}

Description: Pod affinity constraints.

nodeAffinity💣

Type: object

Default value
{}
Default value (formatted)
{}

Description: Node affinity constraints.

podDisruptionBudget.minAvailable💣

Type: int

Default value
1

Description: Configures the minimum available pods for kyverno disruptions. Cannot be used if maxUnavailable is set.

podDisruptionBudget.maxUnavailable💣

Type: string

Default value
nil

Description: Configures the maximum unavailable pods for kyverno disruptions. Cannot be used if minAvailable is set.

nodeSelector💣

Type: object

Default value
{}
Default value (formatted)
{}

Description: Node labels for pod assignment

tolerations💣

Type: list

Default value
[]
Default value (formatted)
[]

Description: List of node taints to tolerate

hostNetwork💣

Type: bool

Default value
false

Description: Change hostNetwork to true when you want the kyverno’s pod to share its host’s network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the dnsPolicy accordingly as well to suit the host network mode.

dnsPolicy💣

Type: string

Default value
"ClusterFirst"

Description: dnsPolicy determines the manner in which DNS resolution happens in the cluster. In case of hostNetwork: true, usually, the dnsPolicy is suitable to be ClusterFirstWithHostNet. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.

envVarsInit💣

Type: object

Default value
{}
Default value (formatted)
{}

Description: Env variables for initContainers.

envVars💣

Type: object

Default value
{}
Default value (formatted)
{}

Description: Env variables for containers.

extraArgs💣

Type: list

Default value
["--clientRateLimitQPS=25","--clientRateLimitBurst=50","--autogenInternals=false"]
Default value (formatted)
[
  "--clientRateLimitQPS=25",
  "--clientRateLimitBurst=50",
  "--autogenInternals=false"
]

Description: Extra arguments to give to the binary.

extraInitContainers💣

Type: list

Default value
[]
Default value (formatted)
[]

Description: Array of extra init containers

extraContainers💣

Type: list

Default value
[]
Default value (formatted)
[]

Description: Array of extra containers to run alongside kyverno

imagePullSecrets💣

Type: object

Default value
{}
Default value (formatted)
{}

Description: Image pull secrets for image verify and imageData policies. This will define the --imagePullSecrets Kyverno argument.

resources.limits💣

Type: object

Default value
{"cpu":"500m","memory":"512Mi"}
Default value (formatted)
{
  "cpu": "500m",
  "memory": "512Mi"
}

Description: Pod resource limits

resources.requests💣

Type: object

Default value
{"cpu":"500m","memory":"512Mi"}
Default value (formatted)
{
  "cpu": "500m",
  "memory": "512Mi"
}

Description: Pod resource requests

initResources.limits💣

Type: object

Default value
{"cpu":"100m","memory":"256Mi"}
Default value (formatted)
{
  "cpu": "100m",
  "memory": "256Mi"
}

Description: Pod resource limits

initResources.requests💣

Type: object

Default value
{"cpu":"100m","memory":"256Mi"}
Default value (formatted)
{
  "cpu": "100m",
  "memory": "256Mi"
}

Description: Pod resource requests

generatecontrollerExtraResources💣

Type: list

Default value
[]
Default value (formatted)
[]

Description: Additional resources to be added to controller RBAC permissions.

excludeKyvernoNamespace💣

Type: bool

Default value
true

Description: Exclude Kyverno namespace Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters

resourceFiltersExcludeNamespaces💣

Type: list

Default value
[]
Default value (formatted)
[]

Description: resourceFilter namespace exclude Namespaces to exclude from the default resourceFilters

config.existingConfig💣

Type: string

Default value
""

Description: Name of an existing config map (ignores default/provided resourceFilters)

config.excludeGroupRole💣

Type: string

Default value
nil

Description: Exclude group role

config.excludeUsername💣

Type: string

Default value
nil

Description: Exclude username

config.webhooks💣

Type: string

Default value
nil

Description: Defines the namespaceSelector in the webhook configurations. Note that it takes a list of namespaceSelector and/or objectSelector in the JSON format, and only the first element will be forwarded to the webhook configurations. The Kyverno namespace is excluded if excludeKyvernoNamespace is true (default)

config.generateSuccessEvents💣

Type: bool

Default value
false

Description: Generate success events.

config.metricsConfig💣

Type: object

Default value
{"namespaces":{"exclude":[],"include":[]}}
Default value (formatted)
{
  "namespaces": {
    "exclude": [],
    "include": []
  }
}

Description: Metrics config.

service.port💣

Type: int

Default value
443

Description: Service port.

service.type💣

Type: string

Default value
"ClusterIP"

Description: Service type.

service.nodePort💣

Type: string

Default value
nil

Description: Service node port. Only used if service.type is NodePort.

service.annotations💣

Type: object

Default value
{}
Default value (formatted)
{}

Description: Service annotations.

topologySpreadConstraints💣

Type: list

Default value
[]
Default value (formatted)
[]

Description: Topology spread constraints.

metricsService.create💣

Type: bool

Default value
true

Description: Create service.

metricsService.port💣

Type: int

Default value
8000

Description: Service port. Kyverno’s metrics server will be exposed at this port.

metricsService.type💣

Type: string

Default value
"ClusterIP"

Description: Service type.

metricsService.nodePort💣

Type: string

Default value
nil

Description: Service node port. Only used if metricsService.type is NodePort.

metricsService.annotations💣

Type: object

Default value
{}
Default value (formatted)
{}

Description: Service annotations.

serviceMonitor.enabled💣

Type: bool

Default value
false

Description: Create a ServiceMonitor to collect Prometheus metrics.

serviceMonitor.additionalLabels💣

Type: string

Default value
nil

Description: Additional labels

serviceMonitor.namespace💣

Type: string

Default value
nil

Description: Override namespace (default is the same as kyverno)

serviceMonitor.interval💣

Type: string

Default value
"30s"

Description: Interval to scrape metrics

serviceMonitor.scrapeTimeout💣

Type: string

Default value
"25s"

Description: Timeout if metrics can’t be retrieved in given time interval

serviceMonitor.secure💣

Type: bool

Default value
false

Description: Is TLS required for endpoint

serviceMonitor.tlsConfig💣

Type: object

Default value
{}
Default value (formatted)
{}

Description: TLS Configuration for endpoint

serviceMonitor.dashboards.namespace💣

Type: string

Default value
nil

serviceMonitor.dashboards.label💣

Type: string

Default value
"grafana_dashboard"

createSelfSignedCert💣

Type: bool

Default value
false

Description: Kyverno requires a certificate key pair and corresponding certificate authority to properly register its webhooks. This can be done in one of 3 ways: 1) Use kube-controller-manager to generate a CA-signed certificate (preferred) 2) Provide your own CA and cert. In this case, you will need to create a certificate with a specific name and data structure. As long as you follow the naming scheme, it will be automatically picked up. kyverno-svc.(namespace).svc.kyverno-tls-ca (with data entries named tls.key and tls.crt) kyverno-svc.kyverno.svc.kyverno-tls-pair (with data entries named tls.key and tls.crt) 3) Let Helm generate a self signed cert, by setting createSelfSignedCert true If letting Kyverno create its own CA or providing your own, make createSelfSignedCert is false

installCRDs💣

Type: bool

Default value
true

Description: Whether to have Helm install the Kyverno CRDs. If the CRDs are not installed by Helm, they must be added before policies can be created.

networkPolicy.enabled💣

Type: bool

Default value
false

Description: When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.

networkPolicy.ingressFrom💣

Type: list

Default value
[]
Default value (formatted)
[]

Description: A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.

webhooksCleanup.enable💣

Type: bool

Default value
false

Description: Create a helm pre-delete hook to cleanup webhooks.

webhooksCleanup.image💣

Type: string

Default value
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.25.3"

Description: kubectl image to run commands for deleting webhooks.

tufRootMountPath💣

Type: string

Default value
"/.sigstore"

Description: A writable volume to use for the TUF root initialization

registries💣

Type: object

Default value
{"ports":[{"port":443,"protocol":"TCP"}]}
Default value (formatted)
{
  "ports": [
    {
      "port": 443,
      "protocol": "TCP"
    }
  ]
}

Description: A list of registry ports to be accepted

networkPolicies.enabled💣

Type: bool

Default value
false

networkPolicies.controlPlaneCidr💣

Type: string

Default value
"0.0.0.0/0"

istio.enabled💣

Type: bool

Default value
false

openshift💣

Type: bool

Default value
false

bbtests.enabled💣

Type: bool

Default value
false

bbtests.scripts.image💣

Type: string

Default value
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.25.3"

bbtests.scripts.additionalVolumeMounts[0].name💣

Type: string

Default value
"kyverno-bbtest-manifest"

bbtests.scripts.additionalVolumeMounts[0].mountPath💣

Type: string

Default value
"/yaml"

bbtests.scripts.additionalVolumes[0].name💣

Type: string

Default value
"kyverno-bbtest-manifest"

bbtests.scripts.additionalVolumes[0].configMap.name💣

Type: string

Default value
"kyverno-bbtest-manifest"