policy values.yaml
💣
openshift💣
Type: bool
false
replicas💣
Type: int
3
auditInterval💣
Type: int
300
metricsBackends[0]💣
Type: string
"prometheus"
auditMatchKindOnly💣
Type: bool
true
constraintViolationsLimit💣
Type: int
1000
auditFromCache💣
Type: bool
false
disableMutation💣
Type: bool
true
disableValidatingWebhook💣
Type: bool
false
validatingWebhookTimeoutSeconds💣
Type: int
15
validatingWebhookFailurePolicy💣
Type: string
"Ignore"
validatingWebhookExemptNamespacesLabels💣
Type: object
{}
Default value (formatted)
{}
validatingWebhookObjectSelector💣
Type: object
{}
Default value (formatted)
{}
validatingWebhookCheckIgnoreFailurePolicy💣
Type: string
"Fail"
validatingWebhookCustomRules💣
Type: object
{}
Default value (formatted)
{}
enableDeleteOperations💣
Type: bool
false
enableExternalData💣
Type: bool
false
enableTLSHealthcheck💣
Type: bool
false
mutatingWebhookFailurePolicy💣
Type: string
"Ignore"
mutatingWebhookReinvocationPolicy💣
Type: string
"Never"
mutatingWebhookExemptNamespacesLabels💣
Type: object
{}
Default value (formatted)
{}
mutatingWebhookObjectSelector💣
Type: object
{}
Default value (formatted)
{}
mutatingWebhookTimeoutSeconds💣
Type: int
1
mutatingWebhookCustomRules💣
Type: object
{}
Default value (formatted)
{}
mutationAnnotations💣
Type: bool
false
auditChunkSize💣
Type: int
500
logLevel💣
Type: string
"INFO"
logDenies💣
Type: bool
true
logMutations💣
Type: bool
true
emitAdmissionEvents💣
Type: bool
false
emitAuditEvents💣
Type: bool
false
resourceQuota💣
Type: bool
true
postUpgrade.labelNamespace.enabled💣
Type: bool
false
postUpgrade.labelNamespace.image.repository💣
Type: string
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl"
postUpgrade.labelNamespace.image.tag💣
Type: string
"v1.25.2"
postUpgrade.labelNamespace.image.pullPolicy💣
Type: string
"IfNotPresent"
postUpgrade.labelNamespace.image.pullSecrets💣
Type: list
[]
Default value (formatted)
[]
postUpgrade.labelNamespace.extraNamespaces💣
Type: list
[]
Default value (formatted)
[]
postUpgrade.securityContext.allowPrivilegeEscalation💣
Type: bool
false
postUpgrade.securityContext.capabilities.drop[0]💣
Type: string
"all"
postUpgrade.securityContext.readOnlyRootFilesystem💣
Type: bool
true
postUpgrade.securityContext.runAsGroup💣
Type: int
999
postUpgrade.securityContext.runAsNonRoot💣
Type: bool
true
postUpgrade.securityContext.runAsUser💣
Type: int
1000
postInstall.labelNamespace.extraRules💣
Type: list
[]
Default value (formatted)
[]
postInstall.labelNamespace.enabled💣
Type: bool
true
postInstall.labelNamespace.image.repository💣
Type: string
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl"
postInstall.labelNamespace.image.tag💣
Type: string
"v1.25.2"
postInstall.labelNamespace.image.pullPolicy💣
Type: string
"IfNotPresent"
postInstall.labelNamespace.image.pullSecrets💣
Type: list
[]
Default value (formatted)
[]
postInstall.labelNamespace.extraNamespaces💣
Type: list
[]
Default value (formatted)
[]
postInstall.probeWebhook.enabled💣
Type: bool
true
postInstall.probeWebhook.image.repository💣
Type: string
"registry1.dso.mil/ironbank/big-bang/base"
postInstall.probeWebhook.image.tag💣
Type: string
"2.0.0"
postInstall.probeWebhook.image.pullPolicy💣
Type: string
"IfNotPresent"
postInstall.probeWebhook.image.pullSecrets💣
Type: list
[]
Default value (formatted)
[]
postInstall.probeWebhook.waitTimeout💣
Type: int
60
postInstall.probeWebhook.httpTimeout💣
Type: int
2
postInstall.probeWebhook.insecureHTTPS💣
Type: bool
false
postInstall.securityContext.allowPrivilegeEscalation💣
Type: bool
false
postInstall.securityContext.capabilities.drop[0]💣
Type: string
"all"
postInstall.securityContext.readOnlyRootFilesystem💣
Type: bool
true
postInstall.securityContext.runAsGroup💣
Type: int
999
postInstall.securityContext.runAsNonRoot💣
Type: bool
true
postInstall.securityContext.runAsUser💣
Type: int
1000
preUninstall.deleteWebhookConfigurations.extraRules💣
Type: list
[]
Default value (formatted)
[]
preUninstall.deleteWebhookConfigurations.enabled💣
Type: bool
false
preUninstall.deleteWebhookConfigurations.image.repository💣
Type: string
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl"
preUninstall.deleteWebhookConfigurations.image.tag💣
Type: string
"v1.25.2"
preUninstall.deleteWebhookConfigurations.image.pullPolicy💣
Type: string
"IfNotPresent"
preUninstall.deleteWebhookConfigurations.image.pullSecrets💣
Type: list
[]
Default value (formatted)
[]
preUninstall.securityContext.allowPrivilegeEscalation💣
Type: bool
false
preUninstall.securityContext.capabilities.drop[0]💣
Type: string
"all"
preUninstall.securityContext.readOnlyRootFilesystem💣
Type: bool
true
preUninstall.securityContext.runAsGroup💣
Type: int
999
preUninstall.securityContext.runAsNonRoot💣
Type: bool
true
preUninstall.securityContext.runAsUser💣
Type: int
1000
image.repository💣
Type: string
"registry1.dso.mil/ironbank/opensource/openpolicyagent/gatekeeper"
image.release💣
Type: string
"v3.9.0"
image.pullPolicy💣
Type: string
"IfNotPresent"
image.pullSecrets[0].name💣
Type: string
"private-registry"
image.crdRepository💣
Type: string
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl"
image.crdRelease💣
Type: string
"v1.25.2"
podAnnotations.”container.seccomp.security.alpha.kubernetes.io/manager”💣
Type: string
"runtime/default"
podLabels💣
Type: object
{}
Default value (formatted)
{}
podCountLimit💣
Type: int
100
secretAnnotations💣
Type: object
{}
Default value (formatted)
{}
enableRuntimeDefaultSeccompProfile💣
Type: bool
true
controllerManager.exemptNamespaces💣
Type: list
[]
Default value (formatted)
[]
controllerManager.exemptNamespacePrefixes💣
Type: list
[]
Default value (formatted)
[]
controllerManager.hostNetwork💣
Type: bool
false
controllerManager.dnsPolicy💣
Type: string
"ClusterFirst"
controllerManager.port💣
Type: int
8443
controllerManager.metricsPort💣
Type: int
8888
controllerManager.healthPort💣
Type: int
9090
controllerManager.priorityClassName💣
Type: string
"system-cluster-critical"
controllerManager.disableCertRotation💣
Type: bool
false
controllerManager.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.labelSelector.matchExpressions[0].key💣
Type: string
"gatekeeper.sh/operation"
controllerManager.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.labelSelector.matchExpressions[0].operator💣
Type: string
"In"
controllerManager.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.labelSelector.matchExpressions[0].values[0]💣
Type: string
"webhook"
controllerManager.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.topologyKey💣
Type: string
"kubernetes.io/hostname"
controllerManager.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].weight💣
Type: int
100
controllerManager.tolerations💣
Type: list
[]
Default value (formatted)
[]
controllerManager.nodeSelector.”kubernetes.io/os”💣
Type: string
"linux"
controllerManager.resources.limits.cpu💣
Type: string
"175m"
controllerManager.resources.limits.memory💣
Type: string
"512Mi"
controllerManager.resources.requests.cpu💣
Type: string
"175m"
controllerManager.resources.requests.memory💣
Type: string
"512Mi"
controllerManager.securityContext.allowPrivilegeEscalation💣
Type: bool
false
controllerManager.securityContext.capabilities.drop[0]💣
Type: string
"all"
controllerManager.securityContext.readOnlyRootFilesystem💣
Type: bool
true
controllerManager.securityContext.runAsGroup💣
Type: int
999
controllerManager.securityContext.runAsNonRoot💣
Type: bool
true
controllerManager.securityContext.runAsUser💣
Type: int
1000
controllerManager.podSecurityContext.fsGroup💣
Type: int
999
controllerManager.podSecurityContext.supplementalGroups[0]💣
Type: int
999
controllerManager.extraRules💣
Type: list
[]
Default value (formatted)
[]
audit.hostNetwork💣
Type: bool
false
audit.dnsPolicy💣
Type: string
"ClusterFirst"
audit.metricsPort💣
Type: int
8888
audit.healthPort💣
Type: int
9090
audit.priorityClassName💣
Type: string
"system-cluster-critical"
audit.disableCertRotation💣
Type: bool
true
audit.affinity💣
Type: object
{}
Default value (formatted)
{}
audit.tolerations💣
Type: list
[]
Default value (formatted)
[]
audit.nodeSelector.”kubernetes.io/os”💣
Type: string
"linux"
audit.writeToRAMDisk💣
Type: bool
false
audit.resources.limits.cpu💣
Type: float
1.2
audit.resources.limits.memory💣
Type: string
"768Mi"
audit.resources.requests.cpu💣
Type: float
1.2
audit.resources.requests.memory💣
Type: string
"768Mi"
audit.securityContext.allowPrivilegeEscalation💣
Type: bool
false
audit.securityContext.capabilities.drop[0]💣
Type: string
"all"
audit.securityContext.readOnlyRootFilesystem💣
Type: bool
true
audit.securityContext.runAsGroup💣
Type: int
999
audit.securityContext.runAsNonRoot💣
Type: bool
true
audit.securityContext.runAsUser💣
Type: int
1000
audit.podSecurityContext.fsGroup💣
Type: int
999
audit.podSecurityContext.supplementalGroups[0]💣
Type: int
999
audit.extraRules💣
Type: list
[]
Default value (formatted)
[]
crds.resources💣
Type: object
{}
Default value (formatted)
{}
crds.securityContext.allowPrivilegeEscalation💣
Type: bool
false
crds.securityContext.capabilities.drop[0]💣
Type: string
"all"
crds.securityContext.readOnlyRootFilesystem💣
Type: bool
true
crds.securityContext.runAsGroup💣
Type: int
65532
crds.securityContext.runAsNonRoot💣
Type: bool
true
crds.securityContext.runAsUser💣
Type: int
65532
pdb.controllerManager.minAvailable💣
Type: int
1
service💣
Type: object
{}
Default value (formatted)
{}
disabledBuiltins[0]💣
Type: string
"{http.send}"
psp.enabled💣
Type: bool
false
upgradeCRDs.enabled💣
Type: bool
true
upgradeCRDs.tolerations💣
Type: list
[]
Default value (formatted)
[]
upgradeCRDs.extraRules💣
Type: list
[]
Default value (formatted)
[]
cleanupCRDs.enabled💣
Type: bool
true
rbac.create💣
Type: bool
true
violations.allowedAppArmorProfiles.enabled💣
Type: bool
false
violations.allowedAppArmorProfiles.enforcementAction💣
Type: string
"dryrun"
violations.allowedAppArmorProfiles.kind💣
Type: string
"K8sPSPAppArmor"
violations.allowedAppArmorProfiles.name💣
Type: string
"allowed-app-armor-profiles"
violations.allowedAppArmorProfiles.match💣
Type: object
{}
Default value (formatted)
{}
violations.allowedAppArmorProfiles.parameters.allowedProfiles[0]💣
Type: string
"runtime/default"
violations.allowedAppArmorProfiles.parameters.excludedResources💣
Type: list
[]
Default value (formatted)
[]
violations.allowedCapabilities.enabled💣
Type: bool
true
violations.allowedCapabilities.enforcementAction💣
Type: string
"dryrun"
violations.allowedCapabilities.kind💣
Type: string
"K8sPSPCapabilities"
violations.allowedCapabilities.name💣
Type: string
"allowed-capabilities"
violations.allowedCapabilities.match💣
Type: object
{}
Default value (formatted)
{}
violations.allowedCapabilities.parameters.allowedCapabilities💣
Type: list
[]
Default value (formatted)
[]
violations.allowedCapabilities.parameters.requiredDropCapabilities[0]💣
Type: string
"all"
violations.allowedCapabilities.parameters.excludedResources💣
Type: list
[]
Default value (formatted)
[]
violations.allowedDockerRegistries.enabled💣
Type: bool
true
violations.allowedDockerRegistries.enforcementAction💣
Type: string
"deny"
violations.allowedDockerRegistries.kind💣
Type: string
"K8sAllowedRepos"
violations.allowedDockerRegistries.name💣
Type: string
"allowed-docker-registries"
violations.allowedDockerRegistries.match💣
Type: object
{}
Default value (formatted)
{}
violations.allowedDockerRegistries.parameters.repos[0]💣
Type: string
"registry1.dso.mil"
violations.allowedDockerRegistries.parameters.excludedResources💣
Type: list
[]
Default value (formatted)
[]
violations.allowedFlexVolumes.enabled💣
Type: bool
true
violations.allowedFlexVolumes.enforcementAction💣
Type: string
"deny"
violations.allowedFlexVolumes.kind💣
Type: string
"K8sPSPFlexVolumes"
violations.allowedFlexVolumes.name💣
Type: string
"allowed-flex-volumes"
violations.allowedFlexVolumes.match💣
Type: object
{}
Default value (formatted)
{}
violations.allowedFlexVolumes.parameters.allowedFlexVolumes💣
Type: list
[]
Default value (formatted)
[]
violations.allowedFlexVolumes.parameters.excludedResources💣
Type: list
[]
Default value (formatted)
[]
violations.allowedHostFilesystem.enabled💣
Type: bool
true
violations.allowedHostFilesystem.enforcementAction💣
Type: string
"deny"
violations.allowedHostFilesystem.kind💣
Type: string
"K8sPSPHostFilesystem"
violations.allowedHostFilesystem.name💣
Type: string
"allowed-host-filesystem"
violations.allowedHostFilesystem.match💣
Type: object
{}
Default value (formatted)
{}
violations.allowedHostFilesystem.parameters.allowedHostPaths💣
Type: list
[]
Default value (formatted)
[]
violations.allowedHostFilesystem.parameters.excludedResources💣
Type: list
[]
Default value (formatted)
[]
violations.allowedIPs.enabled💣
Type: bool
true
violations.allowedIPs.enforcementAction💣
Type: string
"deny"
violations.allowedIPs.kind💣
Type: string
"K8sExternalIPs"
violations.allowedIPs.name💣
Type: string
"allowed-ips"
violations.allowedIPs.match💣
Type: object
{}
Default value (formatted)
{}
violations.allowedIPs.parameters.allowedIPs💣
Type: list
[]
Default value (formatted)
[]
violations.allowedIPs.parameters.excludedResources💣
Type: list
[]
Default value (formatted)
[]
violations.allowedProcMount.enabled💣
Type: bool
true
violations.allowedProcMount.enforcementAction💣
Type: string
"deny"
violations.allowedProcMount.kind💣
Type: string
"K8sPSPProcMount"
violations.allowedProcMount.name💣
Type: string
"allowed-proc-mount"
violations.allowedProcMount.match💣
Type: object
{}
Default value (formatted)
{}
violations.allowedProcMount.parameters.procMount💣
Type: string
"Default"
violations.allowedProcMount.parameters.excludedResources💣
Type: list
[]
Default value (formatted)
[]
violations.allowedSecCompProfiles.enabled💣
Type: bool
true
violations.allowedSecCompProfiles.enforcementAction💣
Type: string
"dryrun"
violations.allowedSecCompProfiles.kind💣
Type: string
"K8sPSPSeccomp"
violations.allowedSecCompProfiles.name💣
Type: string
"allowed-sec-comp-profiles"
violations.allowedSecCompProfiles.match💣
Type: object
{}
Default value (formatted)
{}
violations.allowedSecCompProfiles.parameters.allowedProfiles[0]💣
Type: string
"runtime/default"
violations.allowedSecCompProfiles.parameters.excludedResources💣
Type: list
[]
Default value (formatted)
[]
violations.allowedUsers.enabled💣
Type: bool
true
violations.allowedUsers.enforcementAction💣
Type: string
"dryrun"
violations.allowedUsers.kind💣
Type: string
"K8sPSPAllowedUsers"
violations.allowedUsers.name💣
Type: string
"allowed-users"
violations.allowedUsers.match💣
Type: object
{}
Default value (formatted)
{}
violations.allowedUsers.parameters.runAsUser.rule💣
Type: string
"MustRunAsNonRoot"
violations.allowedUsers.parameters.fsGroup.rule💣
Type: string
"MustRunAs"
violations.allowedUsers.parameters.fsGroup.ranges[0].min💣
Type: int
1000
violations.allowedUsers.parameters.fsGroup.ranges[0].max💣
Type: int
65535
violations.allowedUsers.parameters.runAsGroup.rule💣
Type: string
"MustRunAs"
violations.allowedUsers.parameters.runAsGroup.ranges[0].min💣
Type: int
1000
violations.allowedUsers.parameters.runAsGroup.ranges[0].max💣
Type: int
65535
violations.allowedUsers.parameters.supplementalGroups.rule💣
Type: string
"MustRunAs"
violations.allowedUsers.parameters.supplementalGroups.ranges[0].min💣
Type: int
1000
violations.allowedUsers.parameters.supplementalGroups.ranges[0].max💣
Type: int
65535
violations.allowedUsers.parameters.excludedResources💣
Type: list
[]
Default value (formatted)
[]
violations.bannedImageTags.enabled💣
Type: bool
true
violations.bannedImageTags.enforcementAction💣
Type: string
"deny"
violations.bannedImageTags.kind💣
Type: string
"K8sBannedImageTags"
violations.bannedImageTags.name💣
Type: string
"banned-image-tags"
violations.bannedImageTags.match💣
Type: object
{}
Default value (formatted)
{}
violations.bannedImageTags.parameters.tags[0]💣
Type: string
"latest"
violations.bannedImageTags.parameters.excludedResources💣
Type: list
[]
Default value (formatted)
[]
violations.blockNodePort.enabled💣
Type: bool
true
violations.blockNodePort.enforcementAction💣
Type: string
"dryrun"
violations.blockNodePort.kind💣
Type: string
"K8sBlockNodePort"
violations.blockNodePort.name💣
Type: string
"block-node-ports"
violations.blockNodePort.match💣
Type: object
{}
Default value (formatted)
{}
violations.blockNodePort.parameters.excludedResources💣
Type: list
[]
Default value (formatted)
[]
violations.containerRatio.enabled💣
Type: bool
true
violations.containerRatio.enforcementAction💣
Type: string
"dryrun"
violations.containerRatio.kind💣
Type: string
"K8sContainerRatios"
violations.containerRatio.name💣
Type: string
"container-ratios"
violations.containerRatio.match💣
Type: object
{}
Default value (formatted)
{}
violations.containerRatio.parameters.ratio💣
Type: string
"2"
violations.containerRatio.parameters.excludedResources💣
Type: list
[]
Default value (formatted)
[]
violations.hostNetworking.enabled💣
Type: bool
true
violations.hostNetworking.enforcementAction💣
Type: string
"deny"
violations.hostNetworking.kind💣
Type: string
"K8sPSPHostNetworkingPorts"
violations.hostNetworking.name💣
Type: string
"host-networking"
violations.hostNetworking.match💣
Type: object
{}
Default value (formatted)
{}
violations.hostNetworking.parameters.hostNetwork💣
Type: bool
false
violations.hostNetworking.parameters.min💣
Type: int
0
violations.hostNetworking.parameters.max💣
Type: int
0
violations.hostNetworking.parameters.excludedResources💣
Type: list
[]
Default value (formatted)
[]
violations.httpsOnly.enabled💣
Type: bool
true
violations.httpsOnly.enforcementAction💣
Type: string
"deny"
violations.httpsOnly.kind💣
Type: string
"K8sHttpsOnly2"
violations.httpsOnly.name💣
Type: string
"https-only"
violations.httpsOnly.match💣
Type: object
{}
Default value (formatted)
{}
violations.httpsOnly.parameters.excludedResources💣
Type: list
[]
Default value (formatted)
[]
violations.imageDigest.enabled💣
Type: bool
true
violations.imageDigest.enforcementAction💣
Type: string
"dryrun"
violations.imageDigest.kind💣
Type: string
"K8sImageDigests2"
violations.imageDigest.name💣
Type: string
"image-digest"
violations.imageDigest.match💣
Type: object
{}
Default value (formatted)
{}
violations.imageDigest.parameters.excludedResources💣
Type: list
[]
Default value (formatted)
[]
violations.namespacesHaveIstio.enabled💣
Type: bool
true
violations.namespacesHaveIstio.enforcementAction💣
Type: string
"dryrun"
violations.namespacesHaveIstio.kind💣
Type: string
"K8sRequiredLabelValues"
violations.namespacesHaveIstio.name💣
Type: string
"namespaces-have-istio"
violations.namespacesHaveIstio.match.namespaceSelector.matchExpressions[0].key💣
Type: string
"admission.gatekeeper.sh/ignore"
violations.namespacesHaveIstio.match.namespaceSelector.matchExpressions[0].operator💣
Type: string
"DoesNotExist"
violations.namespacesHaveIstio.parameters.labels[0].allowedRegex💣
Type: string
"^enabled"
violations.namespacesHaveIstio.parameters.labels[0].key💣
Type: string
"istio-injection"
violations.namespacesHaveIstio.parameters.excludedResources💣
Type: list
[]
Default value (formatted)
[]
violations.noBigContainers.enabled💣
Type: bool
true
violations.noBigContainers.enforcementAction💣
Type: string
"dryrun"
violations.noBigContainers.kind💣
Type: string
"K8sContainerLimits"
violations.noBigContainers.name💣
Type: string
"no-big-container"
violations.noBigContainers.match💣
Type: object
{}
Default value (formatted)
{}
violations.noBigContainers.parameters.cpu💣
Type: string
"2000m"
violations.noBigContainers.parameters.memory💣
Type: string
"4G"
violations.noBigContainers.parameters.excludedResources💣
Type: list
[]
Default value (formatted)
[]
violations.noHostNamespace.enabled💣
Type: bool
true
violations.noHostNamespace.enforcementAction💣
Type: string
"deny"
violations.noHostNamespace.kind💣
Type: string
"K8sPSPHostNamespace2"
violations.noHostNamespace.name💣
Type: string
"no-host-namespace"
violations.noHostNamespace.match💣
Type: object
{}
Default value (formatted)
{}
violations.noHostNamespace.parameters.excludedResources💣
Type: list
[]
Default value (formatted)
[]
violations.noPrivilegedContainers.enabled💣
Type: bool
true
violations.noPrivilegedContainers.enforcementAction💣
Type: string
"deny"
violations.noPrivilegedContainers.kind💣
Type: string
"K8sPSPPrivilegedContainer2"
violations.noPrivilegedContainers.name💣
Type: string
"no-privileged-containers"
violations.noPrivilegedContainers.match💣
Type: object
{}
Default value (formatted)
{}
violations.noPrivilegedContainers.parameters.excludedResources💣
Type: list
[]
Default value (formatted)
[]
violations.noDefaultServiceAccount.enabled💣
Type: bool
true
violations.noDefaultServiceAccount.enforcementAction💣
Type: string
"dryrun"
violations.noDefaultServiceAccount.kind💣
Type: string
"K8sDenySADefault"
violations.noDefaultServiceAccount.name💣
Type: string
"no-default-service-account"
violations.noDefaultServiceAccount.match💣
Type: object
{}
Default value (formatted)
{}
violations.noDefaultServiceAccount.parameters.excludedResources💣
Type: list
[]
Default value (formatted)
[]
violations.noPrivilegedEscalation.enabled💣
Type: bool
true
violations.noPrivilegedEscalation.enforcementAction💣
Type: string
"dryrun"
violations.noPrivilegedEscalation.kind💣
Type: string
"K8sPSPAllowPrivilegeEscalationContainer2"
violations.noPrivilegedEscalation.name💣
Type: string
"no-privileged-escalation"
violations.noPrivilegedEscalation.match💣
Type: object
{}
Default value (formatted)
{}
violations.noPrivilegedEscalation.parameters.excludedResources💣
Type: list
[]
Default value (formatted)
[]
violations.noSysctls.enabled💣
Type: bool
true
violations.noSysctls.enforcementAction💣
Type: string
"deny"
violations.noSysctls.kind💣
Type: string
"K8sPSPForbiddenSysctls"
violations.noSysctls.name💣
Type: string
"no-sysctls"
violations.noSysctls.match💣
Type: object
{}
Default value (formatted)
{}
violations.noSysctls.parameters.forbiddenSysctls[0]💣
Type: string
"*"
violations.noSysctls.parameters.excludedResources💣
Type: list
[]
Default value (formatted)
[]
violations.podsHaveIstio.enabled💣
Type: bool
true
violations.podsHaveIstio.enforcementAction💣
Type: string
"dryrun"
violations.podsHaveIstio.kind💣
Type: string
"K8sNoAnnotationValues"
violations.podsHaveIstio.name💣
Type: string
"pods-have-istio"
violations.podsHaveIstio.match💣
Type: object
{}
Default value (formatted)
{}
violations.podsHaveIstio.parameters.annotations[0].disallowedRegex💣
Type: string
"^false"
violations.podsHaveIstio.parameters.annotations[0].key💣
Type: string
"sidecar.istio.io/inject"
violations.podsHaveIstio.parameters.excludedResources💣
Type: list
[]
Default value (formatted)
[]
violations.readOnlyRoot.enabled💣
Type: bool
true
violations.readOnlyRoot.enforcementAction💣
Type: string
"dryrun"
violations.readOnlyRoot.kind💣
Type: string
"K8sPSPReadOnlyRootFilesystem2"
violations.readOnlyRoot.name💣
Type: string
"read-only-root"
violations.readOnlyRoot.match💣
Type: object
{}
Default value (formatted)
{}
violations.readOnlyRoot.parameters.excludedResources💣
Type: list
[]
Default value (formatted)
[]
violations.requiredLabels.enabled💣
Type: bool
true
violations.requiredLabels.enforcementAction💣
Type: string
"dryrun"
violations.requiredLabels.kind💣
Type: string
"K8sRequiredLabelValues"
violations.requiredLabels.name💣
Type: string
"required-labels"
violations.requiredLabels.match💣
Type: object
{}
Default value (formatted)
{}
violations.requiredLabels.parameters.labels[0].allowedRegex💣
Type: string
""
violations.requiredLabels.parameters.labels[0].key💣
Type: string
"app.kubernetes.io/name"
violations.requiredLabels.parameters.labels[1].allowedRegex💣
Type: string
""
violations.requiredLabels.parameters.labels[1].key💣
Type: string
"app.kubernetes.io/instance"
violations.requiredLabels.parameters.labels[2].allowedRegex💣
Type: string
""
violations.requiredLabels.parameters.labels[2].key💣
Type: string
"app.kubernetes.io/version"
violations.requiredLabels.parameters.labels[3].allowedRegex💣
Type: string
""
violations.requiredLabels.parameters.labels[3].key💣
Type: string
"app.kubernetes.io/component"
violations.requiredLabels.parameters.labels[4].allowedRegex💣
Type: string
""
violations.requiredLabels.parameters.labels[4].key💣
Type: string
"app.kubernetes.io/part-of"
violations.requiredLabels.parameters.labels[5].allowedRegex💣
Type: string
""
violations.requiredLabels.parameters.labels[5].key💣
Type: string
"app.kubernetes.io/managed-by"
violations.requiredLabels.parameters.excludedResources💣
Type: list
[]
Default value (formatted)
[]
violations.requiredProbes.enabled💣
Type: bool
true
violations.requiredProbes.enforcementAction💣
Type: string
"dryrun"
violations.requiredProbes.kind💣
Type: string
"K8sRequiredProbes"
violations.requiredProbes.name💣
Type: string
"required-probes"
violations.requiredProbes.match💣
Type: object
{}
Default value (formatted)
{}
violations.requiredProbes.parameters.probeTypes[0]💣
Type: string
"tcpSocket"
violations.requiredProbes.parameters.probeTypes[1]💣
Type: string
"httpGet"
violations.requiredProbes.parameters.probeTypes[2]💣
Type: string
"exec"
violations.requiredProbes.parameters.probes[0]💣
Type: string
"readinessProbe"
violations.requiredProbes.parameters.probes[1]💣
Type: string
"livenessProbe"
violations.requiredProbes.parameters.excludedResources💣
Type: list
[]
Default value (formatted)
[]
violations.restrictedTaint.enabled💣
Type: bool
true
violations.restrictedTaint.enforcementAction💣
Type: string
"deny"
violations.restrictedTaint.kind💣
Type: string
"RestrictedTaintToleration"
violations.restrictedTaint.name💣
Type: string
"restricted-taint"
violations.restrictedTaint.match💣
Type: object
{}
Default value (formatted)
{}
violations.restrictedTaint.parameters.allowGlobalToleration💣
Type: bool
false
violations.restrictedTaint.parameters.restrictedTaint.effect💣
Type: string
"NoSchedule"
violations.restrictedTaint.parameters.restrictedTaint.key💣
Type: string
"privileged"
violations.restrictedTaint.parameters.restrictedTaint.value💣
Type: string
"true"
violations.restrictedTaint.parameters.excludedResources💣
Type: list
[]
Default value (formatted)
[]
violations.selinuxPolicy.enabled💣
Type: bool
true
violations.selinuxPolicy.enforcementAction💣
Type: string
"deny"
violations.selinuxPolicy.kind💣
Type: string
"K8sPSPSELinuxV2"
violations.selinuxPolicy.name💣
Type: string
"selinux-policy"
violations.selinuxPolicy.match💣
Type: object
{}
Default value (formatted)
{}
violations.selinuxPolicy.parameters.allowedSELinuxOptions💣
Type: list
[]
Default value (formatted)
[]
violations.selinuxPolicy.parameters.excludedResources💣
Type: list
[]
Default value (formatted)
[]
violations.uniqueIngressHost.enabled💣
Type: bool
true
violations.uniqueIngressHost.enforcementAction💣
Type: string
"deny"
violations.uniqueIngressHost.kind💣
Type: string
"K8sUniqueIngressHost"
violations.uniqueIngressHost.name💣
Type: string
"unique-ingress-hosts"
violations.uniqueIngressHost.match💣
Type: object
{}
Default value (formatted)
{}
violations.uniqueIngressHost.parameters.excludedResources💣
Type: list
[]
Default value (formatted)
[]
violations.volumeTypes.enabled💣
Type: bool
true
violations.volumeTypes.enforcementAction💣
Type: string
"deny"
violations.volumeTypes.kind💣
Type: string
"K8sPSPVolumeTypes"
violations.volumeTypes.name💣
Type: string
"volume-types"
violations.volumeTypes.match💣
Type: object
{}
Default value (formatted)
{}
violations.volumeTypes.parameters.volumes[0]💣
Type: string
"configMap"
violations.volumeTypes.parameters.volumes[1]💣
Type: string
"emptyDir"
violations.volumeTypes.parameters.volumes[2]💣
Type: string
"projected"
violations.volumeTypes.parameters.volumes[3]💣
Type: string
"secret"
violations.volumeTypes.parameters.volumes[4]💣
Type: string
"downwardAPI"
violations.volumeTypes.parameters.volumes[5]💣
Type: string
"persistentVolumeClaim"
violations.volumeTypes.parameters.excludedResources💣
Type: list
[]
Default value (formatted)
[]
monitoring.enabled💣
Type: bool
false
networkPolicies.enabled💣
Type: bool
false
networkPolicies.controlPlaneCidr💣
Type: string
"0.0.0.0/0"
bbtests.enabled💣
Type: bool
false
bbtests.scripts.image💣
Type: string
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.25.2"
bbtests.scripts.additionalVolumeMounts[0].name💣
Type: string
"{{ .Chart.Name }}-test-config"
bbtests.scripts.additionalVolumeMounts[0].mountPath💣
Type: string
"/yaml"
bbtests.scripts.additionalVolumeMounts[1].name💣
Type: string
"{{ .Chart.Name }}-kube-cache"
bbtests.scripts.additionalVolumeMounts[1].mountPath💣
Type: string
"/.kube/cache"
bbtests.scripts.additionalVolumes[0].name💣
Type: string
"{{ .Chart.Name }}-test-config"
bbtests.scripts.additionalVolumes[0].configMap.name💣
Type: string
"{{ .Chart.Name }}-test-config"
bbtests.scripts.additionalVolumes[1].name💣
Type: string
"{{ .Chart.Name }}-kube-cache"
bbtests.scripts.additionalVolumes[1].emptyDir💣
Type: object
{}
Default value (formatted)
{}