Skip to content

policy values.yaml💣

openshift💣

Type: bool

Default value
false

replicas💣

Type: int

Default value
3

auditInterval💣

Type: int

Default value
300

metricsBackends[0]💣

Type: string

Default value
"prometheus"

auditMatchKindOnly💣

Type: bool

Default value
true

constraintViolationsLimit💣

Type: int

Default value
1000

auditFromCache💣

Type: bool

Default value
false

disableMutation💣

Type: bool

Default value
true

disableValidatingWebhook💣

Type: bool

Default value
false

validatingWebhookTimeoutSeconds💣

Type: int

Default value
15

validatingWebhookFailurePolicy💣

Type: string

Default value
"Ignore"

validatingWebhookAnnotations💣

Type: object

Default value
{}
Default value (formatted) 
{}

validatingWebhookExemptNamespacesLabels💣

Type: object

Default value
{}
Default value (formatted) 
{}

validatingWebhookObjectSelector💣

Type: object

Default value
{}
Default value (formatted) 
{}

validatingWebhookCheckIgnoreFailurePolicy💣

Type: string

Default value
"Fail"

validatingWebhookCustomRules💣

Type: object

Default value
{}
Default value (formatted) 
{}

enableDeleteOperations💣

Type: bool

Default value
false

enableExternalData💣

Type: bool

Default value
true

enableGeneratorResourceExpansion💣

Type: bool

Default value
false

enableTLSHealthcheck💣

Type: bool

Default value
false

maxServingThreads💣

Type: int

Default value
-1

mutatingWebhookFailurePolicy💣

Type: string

Default value
"Ignore"

mutatingWebhookReinvocationPolicy💣

Type: string

Default value
"Never"

mutatingWebhookAnnotations💣

Type: object

Default value
{}
Default value (formatted) 
{}

mutatingWebhookExemptNamespacesLabels💣

Type: object

Default value
{}
Default value (formatted) 
{}

mutatingWebhookObjectSelector💣

Type: object

Default value
{}
Default value (formatted) 
{}

mutatingWebhookTimeoutSeconds💣

Type: int

Default value
1

mutatingWebhookCustomRules💣

Type: object

Default value
{}
Default value (formatted) 
{}

mutationAnnotations💣

Type: bool

Default value
false

auditChunkSize💣

Type: int

Default value
500

logLevel💣

Type: string

Default value
"INFO"

logDenies💣

Type: bool

Default value
true

logMutations💣

Type: bool

Default value
true

emitAdmissionEvents💣

Type: bool

Default value
false

emitAuditEvents💣

Type: bool

Default value
false

resourceQuota💣

Type: bool

Default value
true

postUpgrade.labelNamespace.enabled💣

Type: bool

Default value
false

postUpgrade.labelNamespace.image.repository💣

Type: string

Default value
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl"

postUpgrade.labelNamespace.image.tag💣

Type: string

Default value
"v1.26.1"

postUpgrade.labelNamespace.image.pullPolicy💣

Type: string

Default value
"IfNotPresent"

postUpgrade.labelNamespace.image.pullSecrets💣

Type: list

Default value
[]
Default value (formatted) 
[]

postUpgrade.labelNamespace.extraNamespaces💣

Type: list

Default value
[]
Default value (formatted) 
[]

postUpgrade.labelNamespace.podSecurity💣

Type: list

Default value
[]
Default value (formatted) 
[]

postUpgrade.affinity💣

Type: object

Default value
{}
Default value (formatted) 
{}

postUpgrade.tolerations💣

Type: list

Default value
[]
Default value (formatted) 
[]

postUpgrade.nodeSelector.”kubernetes.io/os”💣

Type: string

Default value
"linux"

postUpgrade.resources💣

Type: object

Default value
{}
Default value (formatted) 
{}

postUpgrade.securityContext.allowPrivilegeEscalation💣

Type: bool

Default value
false

postUpgrade.securityContext.capabilities.drop[0]💣

Type: string

Default value
"ALL"

postUpgrade.securityContext.readOnlyRootFilesystem💣

Type: bool

Default value
true

postUpgrade.securityContext.runAsGroup💣

Type: int

Default value
999

postUpgrade.securityContext.runAsNonRoot💣

Type: bool

Default value
true

postUpgrade.securityContext.runAsUser💣

Type: int

Default value
1000

postInstall.labelNamespace.enabled💣

Type: bool

Default value
true

postInstall.labelNamespace.extraRules💣

Type: list

Default value
[]
Default value (formatted) 
[]

postInstall.labelNamespace.image.repository💣

Type: string

Default value
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl"

postInstall.labelNamespace.image.tag💣

Type: string

Default value
"v1.26.1"

postInstall.labelNamespace.image.pullPolicy💣

Type: string

Default value
"IfNotPresent"

postInstall.labelNamespace.image.pullSecrets💣

Type: list

Default value
[]
Default value (formatted) 
[]

postInstall.labelNamespace.extraNamespaces💣

Type: list

Default value
[]
Default value (formatted) 
[]

postInstall.labelNamespace.podSecurity💣

Type: list

Default value
[]
Default value (formatted) 
[]

postInstall.probeWebhook.enabled💣

Type: bool

Default value
true

postInstall.probeWebhook.image.repository💣

Type: string

Default value
"registry1.dso.mil/ironbank/big-bang/base"

postInstall.probeWebhook.image.tag💣

Type: string

Default value
"2.0.0"

postInstall.probeWebhook.image.pullPolicy💣

Type: string

Default value
"IfNotPresent"

postInstall.probeWebhook.image.pullSecrets💣

Type: list

Default value
[]
Default value (formatted) 
[]

postInstall.probeWebhook.waitTimeout💣

Type: int

Default value
60

postInstall.probeWebhook.httpTimeout💣

Type: int

Default value
2

postInstall.probeWebhook.insecureHTTPS💣

Type: bool

Default value
false

postInstall.affinity💣

Type: object

Default value
{}
Default value (formatted) 
{}

postInstall.tolerations💣

Type: list

Default value
[]
Default value (formatted) 
[]

postInstall.nodeSelector.”kubernetes.io/os”💣

Type: string

Default value
"linux"

postInstall.securityContext.allowPrivilegeEscalation💣

Type: bool

Default value
false

postInstall.securityContext.capabilities.drop[0]💣

Type: string

Default value
"ALL"

postInstall.securityContext.readOnlyRootFilesystem💣

Type: bool

Default value
true

postInstall.securityContext.runAsGroup💣

Type: int

Default value
999

postInstall.securityContext.runAsNonRoot💣

Type: bool

Default value
true

postInstall.securityContext.runAsUser💣

Type: int

Default value
1000

preUninstall.deleteWebhookConfigurations.extraRules💣

Type: list

Default value
[]
Default value (formatted) 
[]

preUninstall.deleteWebhookConfigurations.enabled💣

Type: bool

Default value
false

preUninstall.deleteWebhookConfigurations.image.repository💣

Type: string

Default value
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl"

preUninstall.deleteWebhookConfigurations.image.tag💣

Type: string

Default value
"v1.26.1"

preUninstall.deleteWebhookConfigurations.image.pullPolicy💣

Type: string

Default value
"IfNotPresent"

preUninstall.deleteWebhookConfigurations.image.pullSecrets💣

Type: list

Default value
[]
Default value (formatted) 
[]

preUninstall.affinity💣

Type: object

Default value
{}
Default value (formatted) 
{}

preUninstall.tolerations💣

Type: list

Default value
[]
Default value (formatted) 
[]

preUninstall.nodeSelector.”kubernetes.io/os”💣

Type: string

Default value
"linux"

preUninstall.resources💣

Type: object

Default value
{}
Default value (formatted) 
{}

preUninstall.securityContext.allowPrivilegeEscalation💣

Type: bool

Default value
false

preUninstall.securityContext.capabilities.drop[0]💣

Type: string

Default value
"ALL"

preUninstall.securityContext.readOnlyRootFilesystem💣

Type: bool

Default value
true

preUninstall.securityContext.runAsGroup💣

Type: int

Default value
999

preUninstall.securityContext.runAsNonRoot💣

Type: bool

Default value
true

preUninstall.securityContext.runAsUser💣

Type: int

Default value
1000

image.repository💣

Type: string

Default value
"registry1.dso.mil/ironbank/opensource/openpolicyagent/gatekeeper"

image.release💣

Type: string

Default value
"v3.11.0"

image.pullPolicy💣

Type: string

Default value
"IfNotPresent"

image.pullSecrets[0].name💣

Type: string

Default value
"private-registry"

image.crdRepository💣

Type: string

Default value
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl"

image.crdRelease💣

Type: string

Default value
"v1.26.1"

podAnnotations.”container.seccomp.security.alpha.kubernetes.io/manager”💣

Type: string

Default value
"runtime/default"

podLabels💣

Type: object

Default value
{}
Default value (formatted) 
{}

podCountLimit💣

Type: string

Default value
"100"

secretAnnotations💣

Type: object

Default value
{}
Default value (formatted) 
{}

enableRuntimeDefaultSeccompProfile💣

Type: bool

Default value
true

controllerManager.exemptNamespaces💣

Type: list

Default value
[]
Default value (formatted) 
[]

controllerManager.exemptNamespacePrefixes💣

Type: list

Default value
[]
Default value (formatted) 
[]

controllerManager.hostNetwork💣

Type: bool

Default value
false

controllerManager.dnsPolicy💣

Type: string

Default value
"ClusterFirst"

controllerManager.port💣

Type: int

Default value
8443

controllerManager.metricsPort💣

Type: int

Default value
8888

controllerManager.healthPort💣

Type: int

Default value
9090

controllerManager.readinessTimeout💣

Type: int

Default value
1

controllerManager.livenessTimeout💣

Type: int

Default value
1

controllerManager.priorityClassName💣

Type: string

Default value
"system-cluster-critical"

controllerManager.disableCertRotation💣

Type: bool

Default value
false

controllerManager.tlsMinVersion💣

Type: float

Default value
1.3

controllerManager.clientCertName💣

Type: string

Default value
""

controllerManager.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.labelSelector.matchExpressions[0].key💣

Type: string

Default value
"gatekeeper.sh/operation"

controllerManager.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.labelSelector.matchExpressions[0].operator💣

Type: string

Default value
"In"

controllerManager.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.labelSelector.matchExpressions[0].values[0]💣

Type: string

Default value
"webhook"

controllerManager.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.topologyKey💣

Type: string

Default value
"kubernetes.io/hostname"

controllerManager.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].weight💣

Type: int

Default value
100

controllerManager.topologySpreadConstraints💣

Type: list

Default value
[]
Default value (formatted) 
[]

controllerManager.tolerations💣

Type: list

Default value
[]
Default value (formatted) 
[]

controllerManager.nodeSelector.”kubernetes.io/os”💣

Type: string

Default value
"linux"

controllerManager.resources.limits.cpu💣

Type: string

Default value
"175m"

controllerManager.resources.limits.memory💣

Type: string

Default value
"512Mi"

controllerManager.resources.requests.cpu💣

Type: string

Default value
"175m"

controllerManager.resources.requests.memory💣

Type: string

Default value
"512Mi"

controllerManager.securityContext.allowPrivilegeEscalation💣

Type: bool

Default value
false

controllerManager.securityContext.capabilities.drop[0]💣

Type: string

Default value
"ALL"

controllerManager.securityContext.readOnlyRootFilesystem💣

Type: bool

Default value
true

controllerManager.securityContext.runAsGroup💣

Type: int

Default value
999

controllerManager.securityContext.runAsNonRoot💣

Type: bool

Default value
true

controllerManager.securityContext.runAsUser💣

Type: int

Default value
1000

controllerManager.podSecurityContext.fsGroup💣

Type: int

Default value
999

controllerManager.podSecurityContext.supplementalGroups[0]💣

Type: int

Default value
999

controllerManager.extraRules💣

Type: list

Default value
[]
Default value (formatted) 
[]

audit.hostNetwork💣

Type: bool

Default value
false

audit.dnsPolicy💣

Type: string

Default value
"ClusterFirst"

audit.metricsPort💣

Type: int

Default value
8888

audit.healthPort💣

Type: int

Default value
9090

audit.readinessTimeout💣

Type: int

Default value
1

audit.livenessTimeout💣

Type: int

Default value
1

audit.priorityClassName💣

Type: string

Default value
"system-cluster-critical"

audit.disableCertRotation💣

Type: bool

Default value
true

audit.affinity💣

Type: object

Default value
{}
Default value (formatted) 
{}

audit.tolerations💣

Type: list

Default value
[]
Default value (formatted) 
[]

audit.nodeSelector.”kubernetes.io/os”💣

Type: string

Default value
"linux"

audit.resources.limits.cpu💣

Type: float

Default value
1.2

audit.resources.limits.memory💣

Type: string

Default value
"768Mi"

audit.resources.requests.cpu💣

Type: float

Default value
1.2

audit.resources.requests.memory💣

Type: string

Default value
"768Mi"

audit.securityContext.allowPrivilegeEscalation💣

Type: bool

Default value
false

audit.securityContext.capabilities.drop[0]💣

Type: string

Default value
"ALL"

audit.securityContext.readOnlyRootFilesystem💣

Type: bool

Default value
true

audit.securityContext.runAsGroup💣

Type: int

Default value
999

audit.securityContext.runAsNonRoot💣

Type: bool

Default value
true

audit.securityContext.runAsUser💣

Type: int

Default value
1000

audit.podSecurityContext.fsGroup💣

Type: int

Default value
999

audit.podSecurityContext.supplementalGroups[0]💣

Type: int

Default value
999

audit.writeToRAMDisk💣

Type: bool

Default value
false

audit.extraRules💣

Type: list

Default value
[]
Default value (formatted) 
[]

crds.affinity💣

Type: object

Default value
{}
Default value (formatted) 
{}

crds.tolerations💣

Type: list

Default value
[]
Default value (formatted) 
[]

crds.nodeSelector.”kubernetes.io/os”💣

Type: string

Default value
"linux"

crds.resources💣

Type: object

Default value
{}
Default value (formatted) 
{}

crds.securityContext.allowPrivilegeEscalation💣

Type: bool

Default value
false

crds.securityContext.capabilities.drop[0]💣

Type: string

Default value
"ALL"

crds.securityContext.readOnlyRootFilesystem💣

Type: bool

Default value
true

crds.securityContext.runAsGroup💣

Type: int

Default value
65532

crds.securityContext.runAsNonRoot💣

Type: bool

Default value
true

crds.securityContext.runAsUser💣

Type: int

Default value
65532

pdb.controllerManager.minAvailable💣

Type: int

Default value
1

service💣

Type: object

Default value
{}
Default value (formatted) 
{}

disabledBuiltins[0]💣

Type: string

Default value
"{http.send}"

psp.enabled💣

Type: bool

Default value
false

upgradeCRDs.enabled💣

Type: bool

Default value
true

upgradeCRDs.extraRules💣

Type: list

Default value
[]
Default value (formatted) 
[]

cleanupCRDs.enabled💣

Type: bool

Default value
true

rbac.create💣

Type: bool

Default value
true

externalCertInjection.enabled💣

Type: bool

Default value
false

externalCertInjection.secretName💣

Type: string

Default value
"gatekeeper-webhook-server-cert"

violations.allowedAppArmorProfiles.enabled💣

Type: bool

Default value
false

violations.allowedAppArmorProfiles.enforcementAction💣

Type: string

Default value
"dryrun"

violations.allowedAppArmorProfiles.kind💣

Type: string

Default value
"K8sPSPAppArmor"

violations.allowedAppArmorProfiles.name💣

Type: string

Default value
"allowed-app-armor-profiles"

violations.allowedAppArmorProfiles.match💣

Type: object

Default value
{}
Default value (formatted) 
{}

violations.allowedAppArmorProfiles.parameters.allowedProfiles[0]💣

Type: string

Default value
"runtime/default"

violations.allowedAppArmorProfiles.parameters.excludedResources💣

Type: list

Default value
[]
Default value (formatted) 
[]

violations.allowedCapabilities.enabled💣

Type: bool

Default value
true

violations.allowedCapabilities.enforcementAction💣

Type: string

Default value
"dryrun"

violations.allowedCapabilities.kind💣

Type: string

Default value
"K8sPSPCapabilities"

violations.allowedCapabilities.name💣

Type: string

Default value
"allowed-capabilities"

violations.allowedCapabilities.match💣

Type: object

Default value
{}
Default value (formatted) 
{}

violations.allowedCapabilities.parameters.allowedCapabilities💣

Type: list

Default value
[]
Default value (formatted) 
[]

violations.allowedCapabilities.parameters.requiredDropCapabilities[0]💣

Type: string

Default value
"all"

violations.allowedCapabilities.parameters.excludedResources💣

Type: list

Default value
[]
Default value (formatted) 
[]

violations.allowedDockerRegistries.enabled💣

Type: bool

Default value
true

violations.allowedDockerRegistries.enforcementAction💣

Type: string

Default value
"deny"

violations.allowedDockerRegistries.kind💣

Type: string

Default value
"K8sAllowedRepos"

violations.allowedDockerRegistries.name💣

Type: string

Default value
"allowed-docker-registries"

violations.allowedDockerRegistries.match💣

Type: object

Default value
{}
Default value (formatted) 
{}

violations.allowedDockerRegistries.parameters.repos[0]💣

Type: string

Default value
"registry1.dso.mil"

violations.allowedDockerRegistries.parameters.excludedResources💣

Type: list

Default value
[]
Default value (formatted) 
[]

violations.allowedFlexVolumes.enabled💣

Type: bool

Default value
true

violations.allowedFlexVolumes.enforcementAction💣

Type: string

Default value
"deny"

violations.allowedFlexVolumes.kind💣

Type: string

Default value
"K8sPSPFlexVolumes"

violations.allowedFlexVolumes.name💣

Type: string

Default value
"allowed-flex-volumes"

violations.allowedFlexVolumes.match💣

Type: object

Default value
{}
Default value (formatted) 
{}

violations.allowedFlexVolumes.parameters.allowedFlexVolumes💣

Type: list

Default value
[]
Default value (formatted) 
[]

violations.allowedFlexVolumes.parameters.excludedResources💣

Type: list

Default value
[]
Default value (formatted) 
[]

violations.allowedHostFilesystem.enabled💣

Type: bool

Default value
true

violations.allowedHostFilesystem.enforcementAction💣

Type: string

Default value
"deny"

violations.allowedHostFilesystem.kind💣

Type: string

Default value
"K8sPSPHostFilesystem"

violations.allowedHostFilesystem.name💣

Type: string

Default value
"allowed-host-filesystem"

violations.allowedHostFilesystem.match💣

Type: object

Default value
{}
Default value (formatted) 
{}

violations.allowedHostFilesystem.parameters.allowedHostPaths💣

Type: list

Default value
[]
Default value (formatted) 
[]

violations.allowedHostFilesystem.parameters.excludedResources💣

Type: list

Default value
[]
Default value (formatted) 
[]

violations.allowedIPs.enabled💣

Type: bool

Default value
true

violations.allowedIPs.enforcementAction💣

Type: string

Default value
"deny"

violations.allowedIPs.kind💣

Type: string

Default value
"K8sExternalIPs"

violations.allowedIPs.name💣

Type: string

Default value
"allowed-ips"

violations.allowedIPs.match💣

Type: object

Default value
{}
Default value (formatted) 
{}

violations.allowedIPs.parameters.allowedIPs💣

Type: list

Default value
[]
Default value (formatted) 
[]

violations.allowedIPs.parameters.excludedResources💣

Type: list

Default value
[]
Default value (formatted) 
[]

violations.allowedProcMount.enabled💣

Type: bool

Default value
true

violations.allowedProcMount.enforcementAction💣

Type: string

Default value
"deny"

violations.allowedProcMount.kind💣

Type: string

Default value
"K8sPSPProcMount"

violations.allowedProcMount.name💣

Type: string

Default value
"allowed-proc-mount"

violations.allowedProcMount.match💣

Type: object

Default value
{}
Default value (formatted) 
{}

violations.allowedProcMount.parameters.procMount💣

Type: string

Default value
"Default"

violations.allowedProcMount.parameters.excludedResources💣

Type: list

Default value
[]
Default value (formatted) 
[]

violations.allowedSecCompProfiles.enabled💣

Type: bool

Default value
true

violations.allowedSecCompProfiles.enforcementAction💣

Type: string

Default value
"dryrun"

violations.allowedSecCompProfiles.kind💣

Type: string

Default value
"K8sPSPSeccomp"

violations.allowedSecCompProfiles.name💣

Type: string

Default value
"allowed-sec-comp-profiles"

violations.allowedSecCompProfiles.match💣

Type: object

Default value
{}
Default value (formatted) 
{}

violations.allowedSecCompProfiles.parameters.allowedProfiles[0]💣

Type: string

Default value
"runtime/default"

violations.allowedSecCompProfiles.parameters.excludedResources💣

Type: list

Default value
[]
Default value (formatted) 
[]

violations.allowedUsers.enabled💣

Type: bool

Default value
true

violations.allowedUsers.enforcementAction💣

Type: string

Default value
"dryrun"

violations.allowedUsers.kind💣

Type: string

Default value
"K8sPSPAllowedUsers"

violations.allowedUsers.name💣

Type: string

Default value
"allowed-users"

violations.allowedUsers.match💣

Type: object

Default value
{}
Default value (formatted) 
{}

violations.allowedUsers.parameters.runAsUser.rule💣

Type: string

Default value
"MustRunAsNonRoot"

violations.allowedUsers.parameters.fsGroup.rule💣

Type: string

Default value
"MustRunAs"

violations.allowedUsers.parameters.fsGroup.ranges[0].min💣

Type: int

Default value
1000

violations.allowedUsers.parameters.fsGroup.ranges[0].max💣

Type: int

Default value
65535

violations.allowedUsers.parameters.runAsGroup.rule💣

Type: string

Default value
"MustRunAs"

violations.allowedUsers.parameters.runAsGroup.ranges[0].min💣

Type: int

Default value
1000

violations.allowedUsers.parameters.runAsGroup.ranges[0].max💣

Type: int

Default value
65535

violations.allowedUsers.parameters.supplementalGroups.rule💣

Type: string

Default value
"MustRunAs"

violations.allowedUsers.parameters.supplementalGroups.ranges[0].min💣

Type: int

Default value
1000

violations.allowedUsers.parameters.supplementalGroups.ranges[0].max💣

Type: int

Default value
65535

violations.allowedUsers.parameters.excludedResources💣

Type: list

Default value
[]
Default value (formatted) 
[]

violations.bannedImageTags.enabled💣

Type: bool

Default value
true

violations.bannedImageTags.enforcementAction💣

Type: string

Default value
"deny"

violations.bannedImageTags.kind💣

Type: string

Default value
"K8sBannedImageTags"

violations.bannedImageTags.name💣

Type: string

Default value
"banned-image-tags"

violations.bannedImageTags.match💣

Type: object

Default value
{}
Default value (formatted) 
{}

violations.bannedImageTags.parameters.tags[0]💣

Type: string

Default value
"latest"

violations.bannedImageTags.parameters.excludedResources💣

Type: list

Default value
[]
Default value (formatted) 
[]

violations.blockNodePort.enabled💣

Type: bool

Default value
true

violations.blockNodePort.enforcementAction💣

Type: string

Default value
"dryrun"

violations.blockNodePort.kind💣

Type: string

Default value
"K8sBlockNodePort"

violations.blockNodePort.name💣

Type: string

Default value
"block-node-ports"

violations.blockNodePort.match💣

Type: object

Default value
{}
Default value (formatted) 
{}

violations.blockNodePort.parameters.excludedResources💣

Type: list

Default value
[]
Default value (formatted) 
[]

violations.containerRatio.enabled💣

Type: bool

Default value
true

violations.containerRatio.enforcementAction💣

Type: string

Default value
"dryrun"

violations.containerRatio.kind💣

Type: string

Default value
"K8sContainerRatios"

violations.containerRatio.name💣

Type: string

Default value
"container-ratios"

violations.containerRatio.match💣

Type: object

Default value
{}
Default value (formatted) 
{}

violations.containerRatio.parameters.ratio💣

Type: string

Default value
"2"

violations.containerRatio.parameters.excludedResources💣

Type: list

Default value
[]
Default value (formatted) 
[]

violations.hostNetworking.enabled💣

Type: bool

Default value
true

violations.hostNetworking.enforcementAction💣

Type: string

Default value
"deny"

violations.hostNetworking.kind💣

Type: string

Default value
"K8sPSPHostNetworkingPorts"

violations.hostNetworking.name💣

Type: string

Default value
"host-networking"

violations.hostNetworking.match💣

Type: object

Default value
{}
Default value (formatted) 
{}

violations.hostNetworking.parameters.hostNetwork💣

Type: bool

Default value
false

violations.hostNetworking.parameters.min💣

Type: int

Default value
0

violations.hostNetworking.parameters.max💣

Type: int

Default value
0

violations.hostNetworking.parameters.excludedResources💣

Type: list

Default value
[]
Default value (formatted) 
[]

violations.httpsOnly.enabled💣

Type: bool

Default value
true

violations.httpsOnly.enforcementAction💣

Type: string

Default value
"deny"

violations.httpsOnly.kind💣

Type: string

Default value
"K8sHttpsOnly2"

violations.httpsOnly.name💣

Type: string

Default value
"https-only"

violations.httpsOnly.match💣

Type: object

Default value
{}
Default value (formatted) 
{}

violations.httpsOnly.parameters.excludedResources💣

Type: list

Default value
[]
Default value (formatted) 
[]

violations.imageDigest.enabled💣

Type: bool

Default value
true

violations.imageDigest.enforcementAction💣

Type: string

Default value
"dryrun"

violations.imageDigest.kind💣

Type: string

Default value
"K8sImageDigests2"

violations.imageDigest.name💣

Type: string

Default value
"image-digest"

violations.imageDigest.match💣

Type: object

Default value
{}
Default value (formatted) 
{}

violations.imageDigest.parameters.excludedResources💣

Type: list

Default value
[]
Default value (formatted) 
[]

violations.namespacesHaveIstio.enabled💣

Type: bool

Default value
true

violations.namespacesHaveIstio.enforcementAction💣

Type: string

Default value
"dryrun"

violations.namespacesHaveIstio.kind💣

Type: string

Default value
"K8sRequiredLabelValues"

violations.namespacesHaveIstio.name💣

Type: string

Default value
"namespaces-have-istio"

violations.namespacesHaveIstio.match.namespaceSelector.matchExpressions[0].key💣

Type: string

Default value
"admission.gatekeeper.sh/ignore"

violations.namespacesHaveIstio.match.namespaceSelector.matchExpressions[0].operator💣

Type: string

Default value
"DoesNotExist"

violations.namespacesHaveIstio.parameters.labels[0].allowedRegex💣

Type: string

Default value
"^enabled"

violations.namespacesHaveIstio.parameters.labels[0].key💣

Type: string

Default value
"istio-injection"

violations.namespacesHaveIstio.parameters.excludedResources💣

Type: list

Default value
[]
Default value (formatted) 
[]

violations.noBigContainers.enabled💣

Type: bool

Default value
true

violations.noBigContainers.enforcementAction💣

Type: string

Default value
"dryrun"

violations.noBigContainers.kind💣

Type: string

Default value
"K8sContainerLimits"

violations.noBigContainers.name💣

Type: string

Default value
"no-big-container"

violations.noBigContainers.match💣

Type: object

Default value
{}
Default value (formatted) 
{}

violations.noBigContainers.parameters.cpu💣

Type: string

Default value
"2000m"

violations.noBigContainers.parameters.memory💣

Type: string

Default value
"4G"

violations.noBigContainers.parameters.excludedResources💣

Type: list

Default value
[]
Default value (formatted) 
[]

violations.noHostNamespace.enabled💣

Type: bool

Default value
true

violations.noHostNamespace.enforcementAction💣

Type: string

Default value
"deny"

violations.noHostNamespace.kind💣

Type: string

Default value
"K8sPSPHostNamespace2"

violations.noHostNamespace.name💣

Type: string

Default value
"no-host-namespace"

violations.noHostNamespace.match💣

Type: object

Default value
{}
Default value (formatted) 
{}

violations.noHostNamespace.parameters.excludedResources💣

Type: list

Default value
[]
Default value (formatted) 
[]

violations.noPrivilegedContainers.enabled💣

Type: bool

Default value
true

violations.noPrivilegedContainers.enforcementAction💣

Type: string

Default value
"deny"

violations.noPrivilegedContainers.kind💣

Type: string

Default value
"K8sPSPPrivilegedContainer2"

violations.noPrivilegedContainers.name💣

Type: string

Default value
"no-privileged-containers"

violations.noPrivilegedContainers.match💣

Type: object

Default value
{}
Default value (formatted) 
{}

violations.noPrivilegedContainers.parameters.excludedResources💣

Type: list

Default value
[]
Default value (formatted) 
[]

violations.noDefaultServiceAccount.enabled💣

Type: bool

Default value
true

violations.noDefaultServiceAccount.enforcementAction💣

Type: string

Default value
"dryrun"

violations.noDefaultServiceAccount.kind💣

Type: string

Default value
"K8sDenySADefault"

violations.noDefaultServiceAccount.name💣

Type: string

Default value
"no-default-service-account"

violations.noDefaultServiceAccount.match💣

Type: object

Default value
{}
Default value (formatted) 
{}

violations.noDefaultServiceAccount.parameters.excludedResources💣

Type: list

Default value
[]
Default value (formatted) 
[]

violations.noPrivilegedEscalation.enabled💣

Type: bool

Default value
true

violations.noPrivilegedEscalation.enforcementAction💣

Type: string

Default value
"dryrun"

violations.noPrivilegedEscalation.kind💣

Type: string

Default value
"K8sPSPAllowPrivilegeEscalationContainer2"

violations.noPrivilegedEscalation.name💣

Type: string

Default value
"no-privileged-escalation"

violations.noPrivilegedEscalation.match💣

Type: object

Default value
{}
Default value (formatted) 
{}

violations.noPrivilegedEscalation.parameters.excludedResources💣

Type: list

Default value
[]
Default value (formatted) 
[]

violations.noSysctls.enabled💣

Type: bool

Default value
true

violations.noSysctls.enforcementAction💣

Type: string

Default value
"deny"

violations.noSysctls.kind💣

Type: string

Default value
"K8sPSPForbiddenSysctls"

violations.noSysctls.name💣

Type: string

Default value
"no-sysctls"

violations.noSysctls.match💣

Type: object

Default value
{}
Default value (formatted) 
{}

violations.noSysctls.parameters.forbiddenSysctls[0]💣

Type: string

Default value
"*"

violations.noSysctls.parameters.excludedResources💣

Type: list

Default value
[]
Default value (formatted) 
[]

violations.podsHaveIstio.enabled💣

Type: bool

Default value
true

violations.podsHaveIstio.enforcementAction💣

Type: string

Default value
"dryrun"

violations.podsHaveIstio.kind💣

Type: string

Default value
"K8sNoAnnotationValues"

violations.podsHaveIstio.name💣

Type: string

Default value
"pods-have-istio"

violations.podsHaveIstio.match💣

Type: object

Default value
{}
Default value (formatted) 
{}

violations.podsHaveIstio.parameters.annotations[0].disallowedRegex💣

Type: string

Default value
"^false"

violations.podsHaveIstio.parameters.annotations[0].key💣

Type: string

Default value
"sidecar.istio.io/inject"

violations.podsHaveIstio.parameters.excludedResources💣

Type: list

Default value
[]
Default value (formatted) 
[]

violations.readOnlyRoot.enabled💣

Type: bool

Default value
true

violations.readOnlyRoot.enforcementAction💣

Type: string

Default value
"dryrun"

violations.readOnlyRoot.kind💣

Type: string

Default value
"K8sPSPReadOnlyRootFilesystem2"

violations.readOnlyRoot.name💣

Type: string

Default value
"read-only-root"

violations.readOnlyRoot.match💣

Type: object

Default value
{}
Default value (formatted) 
{}

violations.readOnlyRoot.parameters.excludedResources💣

Type: list

Default value
[]
Default value (formatted) 
[]

violations.requiredLabels.enabled💣

Type: bool

Default value
true

violations.requiredLabels.enforcementAction💣

Type: string

Default value
"dryrun"

violations.requiredLabels.kind💣

Type: string

Default value
"K8sRequiredLabelValues"

violations.requiredLabels.name💣

Type: string

Default value
"required-labels"

violations.requiredLabels.match💣

Type: object

Default value
{}
Default value (formatted) 
{}

violations.requiredLabels.parameters.labels[0].allowedRegex💣

Type: string

Default value
""

violations.requiredLabels.parameters.labels[0].key💣

Type: string

Default value
"app.kubernetes.io/name"

violations.requiredLabels.parameters.labels[1].allowedRegex💣

Type: string

Default value
""

violations.requiredLabels.parameters.labels[1].key💣

Type: string

Default value
"app.kubernetes.io/instance"

violations.requiredLabels.parameters.labels[2].allowedRegex💣

Type: string

Default value
""

violations.requiredLabels.parameters.labels[2].key💣

Type: string

Default value
"app.kubernetes.io/version"

violations.requiredLabels.parameters.labels[3].allowedRegex💣

Type: string

Default value
""

violations.requiredLabels.parameters.labels[3].key💣

Type: string

Default value
"app.kubernetes.io/component"

violations.requiredLabels.parameters.labels[4].allowedRegex💣

Type: string

Default value
""

violations.requiredLabels.parameters.labels[4].key💣

Type: string

Default value
"app.kubernetes.io/part-of"

violations.requiredLabels.parameters.labels[5].allowedRegex💣

Type: string

Default value
""

violations.requiredLabels.parameters.labels[5].key💣

Type: string

Default value
"app.kubernetes.io/managed-by"

violations.requiredLabels.parameters.excludedResources💣

Type: list

Default value
[]
Default value (formatted) 
[]

violations.requiredProbes.enabled💣

Type: bool

Default value
true

violations.requiredProbes.enforcementAction💣

Type: string

Default value
"dryrun"

violations.requiredProbes.kind💣

Type: string

Default value
"K8sRequiredProbes"

violations.requiredProbes.name💣

Type: string

Default value
"required-probes"

violations.requiredProbes.match💣

Type: object

Default value
{}
Default value (formatted) 
{}

violations.requiredProbes.parameters.probeTypes[0]💣

Type: string

Default value
"tcpSocket"

violations.requiredProbes.parameters.probeTypes[1]💣

Type: string

Default value
"httpGet"

violations.requiredProbes.parameters.probeTypes[2]💣

Type: string

Default value
"exec"

violations.requiredProbes.parameters.probes[0]💣

Type: string

Default value
"readinessProbe"

violations.requiredProbes.parameters.probes[1]💣

Type: string

Default value
"livenessProbe"

violations.requiredProbes.parameters.excludedResources💣

Type: list

Default value
[]
Default value (formatted) 
[]

violations.restrictedTaint.enabled💣

Type: bool

Default value
true

violations.restrictedTaint.enforcementAction💣

Type: string

Default value
"deny"

violations.restrictedTaint.kind💣

Type: string

Default value
"RestrictedTaintToleration"

violations.restrictedTaint.name💣

Type: string

Default value
"restricted-taint"

violations.restrictedTaint.match💣

Type: object

Default value
{}
Default value (formatted) 
{}

violations.restrictedTaint.parameters.allowGlobalToleration💣

Type: bool

Default value
false

violations.restrictedTaint.parameters.restrictedTaint.effect💣

Type: string

Default value
"NoSchedule"

violations.restrictedTaint.parameters.restrictedTaint.key💣

Type: string

Default value
"privileged"

violations.restrictedTaint.parameters.restrictedTaint.value💣

Type: string

Default value
"true"

violations.restrictedTaint.parameters.excludedResources💣

Type: list

Default value
[]
Default value (formatted) 
[]

violations.selinuxPolicy.enabled💣

Type: bool

Default value
true

violations.selinuxPolicy.enforcementAction💣

Type: string

Default value
"deny"

violations.selinuxPolicy.kind💣

Type: string

Default value
"K8sPSPSELinuxV2"

violations.selinuxPolicy.name💣

Type: string

Default value
"selinux-policy"

violations.selinuxPolicy.match💣

Type: object

Default value
{}
Default value (formatted) 
{}

violations.selinuxPolicy.parameters.allowedSELinuxOptions💣

Type: list

Default value
[]
Default value (formatted) 
[]

violations.selinuxPolicy.parameters.excludedResources💣

Type: list

Default value
[]
Default value (formatted) 
[]

violations.uniqueIngressHost.enabled💣

Type: bool

Default value
true

violations.uniqueIngressHost.enforcementAction💣

Type: string

Default value
"deny"

violations.uniqueIngressHost.kind💣

Type: string

Default value
"K8sUniqueIngressHost"

violations.uniqueIngressHost.name💣

Type: string

Default value
"unique-ingress-hosts"

violations.uniqueIngressHost.match💣

Type: object

Default value
{}
Default value (formatted) 
{}

violations.uniqueIngressHost.parameters.excludedResources💣

Type: list

Default value
[]
Default value (formatted) 
[]

violations.volumeTypes.enabled💣

Type: bool

Default value
true

violations.volumeTypes.enforcementAction💣

Type: string

Default value
"deny"

violations.volumeTypes.kind💣

Type: string

Default value
"K8sPSPVolumeTypes"

violations.volumeTypes.name💣

Type: string

Default value
"volume-types"

violations.volumeTypes.match💣

Type: object

Default value
{}
Default value (formatted) 
{}

violations.volumeTypes.parameters.volumes[0]💣

Type: string

Default value
"configMap"

violations.volumeTypes.parameters.volumes[1]💣

Type: string

Default value
"emptyDir"

violations.volumeTypes.parameters.volumes[2]💣

Type: string

Default value
"projected"

violations.volumeTypes.parameters.volumes[3]💣

Type: string

Default value
"secret"

violations.volumeTypes.parameters.volumes[4]💣

Type: string

Default value
"downwardAPI"

violations.volumeTypes.parameters.volumes[5]💣

Type: string

Default value
"persistentVolumeClaim"

violations.volumeTypes.parameters.excludedResources💣

Type: list

Default value
[]
Default value (formatted) 
[]

monitoring.enabled💣

Type: bool

Default value
false

networkPolicies.enabled💣

Type: bool

Default value
false

networkPolicies.controlPlaneCidr💣

Type: string

Default value
"0.0.0.0/0"

bbtests.enabled💣

Type: bool

Default value
false

bbtests.scripts.image💣

Type: string

Default value
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.26.1"

bbtests.scripts.additionalVolumeMounts[0].name💣

Type: string

Default value
"{{ .Chart.Name }}-test-config"

bbtests.scripts.additionalVolumeMounts[0].mountPath💣

Type: string

Default value
"/yaml"

bbtests.scripts.additionalVolumeMounts[1].name💣

Type: string

Default value
"{{ .Chart.Name }}-kube-cache"

bbtests.scripts.additionalVolumeMounts[1].mountPath💣

Type: string

Default value
"/.kube/cache"

bbtests.scripts.additionalVolumes[0].name💣

Type: string

Default value
"{{ .Chart.Name }}-test-config"

bbtests.scripts.additionalVolumes[0].configMap.name💣

Type: string

Default value
"{{ .Chart.Name }}-test-config"

bbtests.scripts.additionalVolumes[1].name💣

Type: string

Default value
"{{ .Chart.Name }}-kube-cache"

bbtests.scripts.additionalVolumes[1].emptyDir💣

Type: object

Default value
{}
Default value (formatted) 
{}