policy values.yaml
š£
openshiftš£
Type: bool
false
replicasš£
Type: int
3
auditIntervalš£
Type: int
300
metricsBackends[0]š£
Type: string
"prometheus"
auditMatchKindOnlyš£
Type: bool
true
constraintViolationsLimitš£
Type: int
1000
auditFromCacheš£
Type: bool
false
disableMutationš£
Type: bool
true
disableValidatingWebhookš£
Type: bool
false
validatingWebhookTimeoutSecondsš£
Type: int
15
validatingWebhookFailurePolicyš£
Type: string
"Ignore"
validatingWebhookAnnotationsš£
Type: object
{}
Default value (formatted)
{}
validatingWebhookExemptNamespacesLabelsš£
Type: object
{}
Default value (formatted)
{}
validatingWebhookObjectSelectorš£
Type: object
{}
Default value (formatted)
{}
validatingWebhookCheckIgnoreFailurePolicyš£
Type: string
"Fail"
validatingWebhookCustomRulesš£
Type: object
{}
Default value (formatted)
{}
enableDeleteOperationsš£
Type: bool
false
enableExternalDataš£
Type: bool
true
enableGeneratorResourceExpansionš£
Type: bool
false
enableTLSHealthcheckš£
Type: bool
false
maxServingThreadsš£
Type: int
-1
mutatingWebhookFailurePolicyš£
Type: string
"Ignore"
mutatingWebhookReinvocationPolicyš£
Type: string
"Never"
mutatingWebhookAnnotationsš£
Type: object
{}
Default value (formatted)
{}
mutatingWebhookExemptNamespacesLabelsš£
Type: object
{}
Default value (formatted)
{}
mutatingWebhookObjectSelectorš£
Type: object
{}
Default value (formatted)
{}
mutatingWebhookTimeoutSecondsš£
Type: int
1
mutatingWebhookCustomRulesš£
Type: object
{}
Default value (formatted)
{}
mutationAnnotationsš£
Type: bool
false
auditChunkSizeš£
Type: int
500
logLevelš£
Type: string
"INFO"
logDeniesš£
Type: bool
true
logMutationsš£
Type: bool
true
emitAdmissionEventsš£
Type: bool
false
emitAuditEventsš£
Type: bool
false
resourceQuotaš£
Type: bool
true
postUpgrade.labelNamespace.enabledš£
Type: bool
false
postUpgrade.labelNamespace.image.repositoryš£
Type: string
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl"
postUpgrade.labelNamespace.image.tagš£
Type: string
"v1.26.3"
postUpgrade.labelNamespace.image.pullPolicyš£
Type: string
"IfNotPresent"
postUpgrade.labelNamespace.image.pullSecretsš£
Type: list
[]
Default value (formatted)
[]
postUpgrade.labelNamespace.extraNamespacesš£
Type: list
[]
Default value (formatted)
[]
postUpgrade.labelNamespace.podSecurityš£
Type: list
[]
Default value (formatted)
[]
postUpgrade.affinityš£
Type: object
{}
Default value (formatted)
{}
postUpgrade.tolerationsš£
Type: list
[]
Default value (formatted)
[]
postUpgrade.nodeSelector.”kubernetes.io/os”š£
Type: string
"linux"
postUpgrade.resourcesš£
Type: object
{}
Default value (formatted)
{}
postUpgrade.securityContext.allowPrivilegeEscalationš£
Type: bool
false
postUpgrade.securityContext.capabilities.drop[0]š£
Type: string
"ALL"
postUpgrade.securityContext.readOnlyRootFilesystemš£
Type: bool
true
postUpgrade.securityContext.runAsGroupš£
Type: int
999
postUpgrade.securityContext.runAsNonRootš£
Type: bool
true
postUpgrade.securityContext.runAsUserš£
Type: int
1000
postInstall.labelNamespace.enabledš£
Type: bool
true
postInstall.labelNamespace.extraRulesš£
Type: list
[]
Default value (formatted)
[]
postInstall.labelNamespace.image.repositoryš£
Type: string
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl"
postInstall.labelNamespace.image.tagš£
Type: string
"v1.26.3"
postInstall.labelNamespace.image.pullPolicyš£
Type: string
"IfNotPresent"
postInstall.labelNamespace.image.pullSecretsš£
Type: list
[]
Default value (formatted)
[]
postInstall.labelNamespace.extraNamespacesš£
Type: list
[]
Default value (formatted)
[]
postInstall.labelNamespace.podSecurityš£
Type: list
[]
Default value (formatted)
[]
postInstall.probeWebhook.enabledš£
Type: bool
true
postInstall.probeWebhook.image.repositoryš£
Type: string
"registry1.dso.mil/ironbank/big-bang/base"
postInstall.probeWebhook.image.tagš£
Type: string
"2.0.0"
postInstall.probeWebhook.image.pullPolicyš£
Type: string
"IfNotPresent"
postInstall.probeWebhook.image.pullSecretsš£
Type: list
[]
Default value (formatted)
[]
postInstall.probeWebhook.waitTimeoutš£
Type: int
60
postInstall.probeWebhook.httpTimeoutš£
Type: int
2
postInstall.probeWebhook.insecureHTTPSš£
Type: bool
false
postInstall.affinityš£
Type: object
{}
Default value (formatted)
{}
postInstall.tolerationsš£
Type: list
[]
Default value (formatted)
[]
postInstall.nodeSelector.”kubernetes.io/os”š£
Type: string
"linux"
postInstall.securityContext.allowPrivilegeEscalationš£
Type: bool
false
postInstall.securityContext.capabilities.drop[0]š£
Type: string
"ALL"
postInstall.securityContext.readOnlyRootFilesystemš£
Type: bool
true
postInstall.securityContext.runAsGroupš£
Type: int
999
postInstall.securityContext.runAsNonRootš£
Type: bool
true
postInstall.securityContext.runAsUserš£
Type: int
1000
preUninstall.deleteWebhookConfigurations.extraRulesš£
Type: list
[]
Default value (formatted)
[]
preUninstall.deleteWebhookConfigurations.enabledš£
Type: bool
false
preUninstall.deleteWebhookConfigurations.image.repositoryš£
Type: string
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl"
preUninstall.deleteWebhookConfigurations.image.tagš£
Type: string
"v1.26.3"
preUninstall.deleteWebhookConfigurations.image.pullPolicyš£
Type: string
"IfNotPresent"
preUninstall.deleteWebhookConfigurations.image.pullSecretsš£
Type: list
[]
Default value (formatted)
[]
preUninstall.affinityš£
Type: object
{}
Default value (formatted)
{}
preUninstall.tolerationsš£
Type: list
[]
Default value (formatted)
[]
preUninstall.nodeSelector.”kubernetes.io/os”š£
Type: string
"linux"
preUninstall.resourcesš£
Type: object
{}
Default value (formatted)
{}
preUninstall.securityContext.allowPrivilegeEscalationš£
Type: bool
false
preUninstall.securityContext.capabilities.drop[0]š£
Type: string
"ALL"
preUninstall.securityContext.readOnlyRootFilesystemš£
Type: bool
true
preUninstall.securityContext.runAsGroupš£
Type: int
999
preUninstall.securityContext.runAsNonRootš£
Type: bool
true
preUninstall.securityContext.runAsUserš£
Type: int
1000
image.repositoryš£
Type: string
"registry1.dso.mil/ironbank/opensource/openpolicyagent/gatekeeper"
image.releaseš£
Type: string
"v3.11.0"
image.pullPolicyš£
Type: string
"IfNotPresent"
image.pullSecrets[0].nameš£
Type: string
"private-registry"
image.crdRepositoryš£
Type: string
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl"
image.crdReleaseš£
Type: string
"v1.26.3"
podAnnotations.”container.seccomp.security.alpha.kubernetes.io/manager”š£
Type: string
"runtime/default"
podLabelsš£
Type: object
{}
Default value (formatted)
{}
podCountLimitš£
Type: string
"100"
secretAnnotationsš£
Type: object
{}
Default value (formatted)
{}
enableRuntimeDefaultSeccompProfileš£
Type: bool
true
controllerManager.exemptNamespacesš£
Type: list
[]
Default value (formatted)
[]
controllerManager.exemptNamespacePrefixesš£
Type: list
[]
Default value (formatted)
[]
controllerManager.hostNetworkš£
Type: bool
false
controllerManager.dnsPolicyš£
Type: string
"ClusterFirst"
controllerManager.portš£
Type: int
8443
controllerManager.metricsPortš£
Type: int
8888
controllerManager.healthPortš£
Type: int
9090
controllerManager.readinessTimeoutš£
Type: int
1
controllerManager.livenessTimeoutš£
Type: int
1
controllerManager.priorityClassNameš£
Type: string
"system-cluster-critical"
controllerManager.disableCertRotationš£
Type: bool
false
controllerManager.tlsMinVersionš£
Type: float
1.3
controllerManager.clientCertNameš£
Type: string
""
controllerManager.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.labelSelector.matchExpressions[0].keyš£
Type: string
"gatekeeper.sh/operation"
controllerManager.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.labelSelector.matchExpressions[0].operatorš£
Type: string
"In"
controllerManager.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.labelSelector.matchExpressions[0].values[0]š£
Type: string
"webhook"
controllerManager.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.topologyKeyš£
Type: string
"kubernetes.io/hostname"
controllerManager.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].weightš£
Type: int
100
controllerManager.topologySpreadConstraintsš£
Type: list
[]
Default value (formatted)
[]
controllerManager.tolerationsš£
Type: list
[]
Default value (formatted)
[]
controllerManager.nodeSelector.”kubernetes.io/os”š£
Type: string
"linux"
controllerManager.resources.limits.cpuš£
Type: string
"175m"
controllerManager.resources.limits.memoryš£
Type: string
"512Mi"
controllerManager.resources.requests.cpuš£
Type: string
"175m"
controllerManager.resources.requests.memoryš£
Type: string
"512Mi"
controllerManager.securityContext.allowPrivilegeEscalationš£
Type: bool
false
controllerManager.securityContext.capabilities.drop[0]š£
Type: string
"ALL"
controllerManager.securityContext.readOnlyRootFilesystemš£
Type: bool
true
controllerManager.securityContext.runAsGroupš£
Type: int
999
controllerManager.securityContext.runAsNonRootš£
Type: bool
true
controllerManager.securityContext.runAsUserš£
Type: int
1000
controllerManager.podSecurityContext.fsGroupš£
Type: int
999
controllerManager.podSecurityContext.supplementalGroups[0]š£
Type: int
999
controllerManager.extraRulesš£
Type: list
[]
Default value (formatted)
[]
audit.hostNetworkš£
Type: bool
false
audit.dnsPolicyš£
Type: string
"ClusterFirst"
audit.metricsPortš£
Type: int
8888
audit.healthPortš£
Type: int
9090
audit.readinessTimeoutš£
Type: int
1
audit.livenessTimeoutš£
Type: int
1
audit.priorityClassNameš£
Type: string
"system-cluster-critical"
audit.disableCertRotationš£
Type: bool
true
audit.affinityš£
Type: object
{}
Default value (formatted)
{}
audit.tolerationsš£
Type: list
[]
Default value (formatted)
[]
audit.nodeSelector.”kubernetes.io/os”š£
Type: string
"linux"
audit.resources.limits.cpuš£
Type: float
1.2
audit.resources.limits.memoryš£
Type: string
"768Mi"
audit.resources.requests.cpuš£
Type: float
1.2
audit.resources.requests.memoryš£
Type: string
"768Mi"
audit.securityContext.allowPrivilegeEscalationš£
Type: bool
false
audit.securityContext.capabilities.drop[0]š£
Type: string
"ALL"
audit.securityContext.readOnlyRootFilesystemš£
Type: bool
true
audit.securityContext.runAsGroupš£
Type: int
999
audit.securityContext.runAsNonRootš£
Type: bool
true
audit.securityContext.runAsUserš£
Type: int
1000
audit.podSecurityContext.fsGroupš£
Type: int
999
audit.podSecurityContext.supplementalGroups[0]š£
Type: int
999
audit.writeToRAMDiskš£
Type: bool
false
audit.extraRulesš£
Type: list
[]
Default value (formatted)
[]
crds.affinityš£
Type: object
{}
Default value (formatted)
{}
crds.tolerationsš£
Type: list
[]
Default value (formatted)
[]
crds.nodeSelector.”kubernetes.io/os”š£
Type: string
"linux"
crds.resourcesš£
Type: object
{}
Default value (formatted)
{}
crds.securityContext.allowPrivilegeEscalationš£
Type: bool
false
crds.securityContext.capabilities.drop[0]š£
Type: string
"ALL"
crds.securityContext.readOnlyRootFilesystemš£
Type: bool
true
crds.securityContext.runAsGroupš£
Type: int
65532
crds.securityContext.runAsNonRootš£
Type: bool
true
crds.securityContext.runAsUserš£
Type: int
65532
pdb.controllerManager.minAvailableš£
Type: int
1
serviceš£
Type: object
{}
Default value (formatted)
{}
disabledBuiltins[0]š£
Type: string
"{http.send}"
psp.enabledš£
Type: bool
false
upgradeCRDs.enabledš£
Type: bool
true
upgradeCRDs.extraRulesš£
Type: list
[]
Default value (formatted)
[]
cleanupCRDs.enabledš£
Type: bool
true
rbac.createš£
Type: bool
true
externalCertInjection.enabledš£
Type: bool
false
externalCertInjection.secretNameš£
Type: string
"gatekeeper-webhook-server-cert"
violations.allowedAppArmorProfiles.enabledš£
Type: bool
false
violations.allowedAppArmorProfiles.enforcementActionš£
Type: string
"dryrun"
violations.allowedAppArmorProfiles.kindš£
Type: string
"K8sPSPAppArmor"
violations.allowedAppArmorProfiles.nameš£
Type: string
"allowed-app-armor-profiles"
violations.allowedAppArmorProfiles.matchš£
Type: object
{}
Default value (formatted)
{}
violations.allowedAppArmorProfiles.parameters.allowedProfiles[0]š£
Type: string
"runtime/default"
violations.allowedAppArmorProfiles.parameters.excludedResourcesš£
Type: list
[]
Default value (formatted)
[]
violations.allowedCapabilities.enabledš£
Type: bool
true
violations.allowedCapabilities.enforcementActionš£
Type: string
"dryrun"
violations.allowedCapabilities.kindš£
Type: string
"K8sPSPCapabilities"
violations.allowedCapabilities.nameš£
Type: string
"allowed-capabilities"
violations.allowedCapabilities.matchš£
Type: object
{}
Default value (formatted)
{}
violations.allowedCapabilities.parameters.allowedCapabilitiesš£
Type: list
[]
Default value (formatted)
[]
violations.allowedCapabilities.parameters.requiredDropCapabilities[0]š£
Type: string
"all"
violations.allowedCapabilities.parameters.excludedResourcesš£
Type: list
[]
Default value (formatted)
[]
violations.allowedDockerRegistries.enabledš£
Type: bool
true
violations.allowedDockerRegistries.enforcementActionš£
Type: string
"deny"
violations.allowedDockerRegistries.kindš£
Type: string
"K8sAllowedRepos"
violations.allowedDockerRegistries.nameš£
Type: string
"allowed-docker-registries"
violations.allowedDockerRegistries.matchš£
Type: object
{}
Default value (formatted)
{}
violations.allowedDockerRegistries.parameters.repos[0]š£
Type: string
"registry1.dso.mil"
violations.allowedDockerRegistries.parameters.excludedResourcesš£
Type: list
[]
Default value (formatted)
[]
violations.allowedFlexVolumes.enabledš£
Type: bool
true
violations.allowedFlexVolumes.enforcementActionš£
Type: string
"deny"
violations.allowedFlexVolumes.kindš£
Type: string
"K8sPSPFlexVolumes"
violations.allowedFlexVolumes.nameš£
Type: string
"allowed-flex-volumes"
violations.allowedFlexVolumes.matchš£
Type: object
{}
Default value (formatted)
{}
violations.allowedFlexVolumes.parameters.allowedFlexVolumesš£
Type: list
[]
Default value (formatted)
[]
violations.allowedFlexVolumes.parameters.excludedResourcesš£
Type: list
[]
Default value (formatted)
[]
violations.allowedHostFilesystem.enabledš£
Type: bool
true
violations.allowedHostFilesystem.enforcementActionš£
Type: string
"deny"
violations.allowedHostFilesystem.kindš£
Type: string
"K8sPSPHostFilesystem"
violations.allowedHostFilesystem.nameš£
Type: string
"allowed-host-filesystem"
violations.allowedHostFilesystem.matchš£
Type: object
{}
Default value (formatted)
{}
violations.allowedHostFilesystem.parameters.allowedHostPathsš£
Type: list
[]
Default value (formatted)
[]
violations.allowedHostFilesystem.parameters.excludedResourcesš£
Type: list
[]
Default value (formatted)
[]
violations.allowedIPs.enabledš£
Type: bool
true
violations.allowedIPs.enforcementActionš£
Type: string
"deny"
violations.allowedIPs.kindš£
Type: string
"K8sExternalIPs"
violations.allowedIPs.nameš£
Type: string
"allowed-ips"
violations.allowedIPs.matchš£
Type: object
{}
Default value (formatted)
{}
violations.allowedIPs.parameters.allowedIPsš£
Type: list
[]
Default value (formatted)
[]
violations.allowedIPs.parameters.excludedResourcesš£
Type: list
[]
Default value (formatted)
[]
violations.allowedProcMount.enabledš£
Type: bool
true
violations.allowedProcMount.enforcementActionš£
Type: string
"deny"
violations.allowedProcMount.kindš£
Type: string
"K8sPSPProcMount"
violations.allowedProcMount.nameš£
Type: string
"allowed-proc-mount"
violations.allowedProcMount.matchš£
Type: object
{}
Default value (formatted)
{}
violations.allowedProcMount.parameters.procMountš£
Type: string
"Default"
violations.allowedProcMount.parameters.excludedResourcesš£
Type: list
[]
Default value (formatted)
[]
violations.allowedSecCompProfiles.enabledš£
Type: bool
true
violations.allowedSecCompProfiles.enforcementActionš£
Type: string
"dryrun"
violations.allowedSecCompProfiles.kindš£
Type: string
"K8sPSPSeccomp"
violations.allowedSecCompProfiles.nameš£
Type: string
"allowed-sec-comp-profiles"
violations.allowedSecCompProfiles.matchš£
Type: object
{}
Default value (formatted)
{}
violations.allowedSecCompProfiles.parameters.allowedProfiles[0]š£
Type: string
"runtime/default"
violations.allowedSecCompProfiles.parameters.excludedResourcesš£
Type: list
[]
Default value (formatted)
[]
violations.allowedUsers.enabledš£
Type: bool
true
violations.allowedUsers.enforcementActionš£
Type: string
"dryrun"
violations.allowedUsers.kindš£
Type: string
"K8sPSPAllowedUsers"
violations.allowedUsers.nameš£
Type: string
"allowed-users"
violations.allowedUsers.matchš£
Type: object
{}
Default value (formatted)
{}
violations.allowedUsers.parameters.runAsUser.ruleš£
Type: string
"MustRunAsNonRoot"
violations.allowedUsers.parameters.fsGroup.ruleš£
Type: string
"MustRunAs"
violations.allowedUsers.parameters.fsGroup.ranges[0].minš£
Type: int
1000
violations.allowedUsers.parameters.fsGroup.ranges[0].maxš£
Type: int
65535
violations.allowedUsers.parameters.runAsGroup.ruleš£
Type: string
"MustRunAs"
violations.allowedUsers.parameters.runAsGroup.ranges[0].minš£
Type: int
1000
violations.allowedUsers.parameters.runAsGroup.ranges[0].maxš£
Type: int
65535
violations.allowedUsers.parameters.supplementalGroups.ruleš£
Type: string
"MustRunAs"
violations.allowedUsers.parameters.supplementalGroups.ranges[0].minš£
Type: int
1000
violations.allowedUsers.parameters.supplementalGroups.ranges[0].maxš£
Type: int
65535
violations.allowedUsers.parameters.excludedResourcesš£
Type: list
[]
Default value (formatted)
[]
violations.bannedImageTags.enabledš£
Type: bool
true
violations.bannedImageTags.enforcementActionš£
Type: string
"deny"
violations.bannedImageTags.kindš£
Type: string
"K8sBannedImageTags"
violations.bannedImageTags.nameš£
Type: string
"banned-image-tags"
violations.bannedImageTags.matchš£
Type: object
{}
Default value (formatted)
{}
violations.bannedImageTags.parameters.tags[0]š£
Type: string
"latest"
violations.bannedImageTags.parameters.excludedResourcesš£
Type: list
[]
Default value (formatted)
[]
violations.blockNodePort.enabledš£
Type: bool
true
violations.blockNodePort.enforcementActionš£
Type: string
"dryrun"
violations.blockNodePort.kindš£
Type: string
"K8sBlockNodePort"
violations.blockNodePort.nameš£
Type: string
"block-node-ports"
violations.blockNodePort.matchš£
Type: object
{}
Default value (formatted)
{}
violations.blockNodePort.parameters.excludedResourcesš£
Type: list
[]
Default value (formatted)
[]
violations.containerRatio.enabledš£
Type: bool
true
violations.containerRatio.enforcementActionš£
Type: string
"dryrun"
violations.containerRatio.kindš£
Type: string
"K8sContainerRatios"
violations.containerRatio.nameš£
Type: string
"container-ratios"
violations.containerRatio.matchš£
Type: object
{}
Default value (formatted)
{}
violations.containerRatio.parameters.ratioš£
Type: string
"2"
violations.containerRatio.parameters.excludedResourcesš£
Type: list
[]
Default value (formatted)
[]
violations.hostNetworking.enabledš£
Type: bool
true
violations.hostNetworking.enforcementActionš£
Type: string
"deny"
violations.hostNetworking.kindš£
Type: string
"K8sPSPHostNetworkingPorts"
violations.hostNetworking.nameš£
Type: string
"host-networking"
violations.hostNetworking.matchš£
Type: object
{}
Default value (formatted)
{}
violations.hostNetworking.parameters.hostNetworkš£
Type: bool
false
violations.hostNetworking.parameters.minš£
Type: int
0
violations.hostNetworking.parameters.maxš£
Type: int
0
violations.hostNetworking.parameters.excludedResourcesš£
Type: list
[]
Default value (formatted)
[]
violations.httpsOnly.enabledš£
Type: bool
true
violations.httpsOnly.enforcementActionš£
Type: string
"deny"
violations.httpsOnly.kindš£
Type: string
"K8sHttpsOnly2"
violations.httpsOnly.nameš£
Type: string
"https-only"
violations.httpsOnly.matchš£
Type: object
{}
Default value (formatted)
{}
violations.httpsOnly.parameters.excludedResourcesš£
Type: list
[]
Default value (formatted)
[]
violations.imageDigest.enabledš£
Type: bool
true
violations.imageDigest.enforcementActionš£
Type: string
"dryrun"
violations.imageDigest.kindš£
Type: string
"K8sImageDigests2"
violations.imageDigest.nameš£
Type: string
"image-digest"
violations.imageDigest.matchš£
Type: object
{}
Default value (formatted)
{}
violations.imageDigest.parameters.excludedResourcesš£
Type: list
[]
Default value (formatted)
[]
violations.namespacesHaveIstio.enabledš£
Type: bool
true
violations.namespacesHaveIstio.enforcementActionš£
Type: string
"dryrun"
violations.namespacesHaveIstio.kindš£
Type: string
"K8sRequiredLabelValues"
violations.namespacesHaveIstio.nameš£
Type: string
"namespaces-have-istio"
violations.namespacesHaveIstio.match.namespaceSelector.matchExpressions[0].keyš£
Type: string
"admission.gatekeeper.sh/ignore"
violations.namespacesHaveIstio.match.namespaceSelector.matchExpressions[0].operatorš£
Type: string
"DoesNotExist"
violations.namespacesHaveIstio.parameters.labels[0].allowedRegexš£
Type: string
"^enabled"
violations.namespacesHaveIstio.parameters.labels[0].keyš£
Type: string
"istio-injection"
violations.namespacesHaveIstio.parameters.excludedResourcesš£
Type: list
[]
Default value (formatted)
[]
violations.noBigContainers.enabledš£
Type: bool
true
violations.noBigContainers.enforcementActionš£
Type: string
"dryrun"
violations.noBigContainers.kindš£
Type: string
"K8sContainerLimits"
violations.noBigContainers.nameš£
Type: string
"no-big-container"
violations.noBigContainers.matchš£
Type: object
{}
Default value (formatted)
{}
violations.noBigContainers.parameters.cpuš£
Type: string
"2000m"
violations.noBigContainers.parameters.memoryš£
Type: string
"4G"
violations.noBigContainers.parameters.excludedResourcesš£
Type: list
[]
Default value (formatted)
[]
violations.noHostNamespace.enabledš£
Type: bool
true
violations.noHostNamespace.enforcementActionš£
Type: string
"deny"
violations.noHostNamespace.kindš£
Type: string
"K8sPSPHostNamespace2"
violations.noHostNamespace.nameš£
Type: string
"no-host-namespace"
violations.noHostNamespace.matchš£
Type: object
{}
Default value (formatted)
{}
violations.noHostNamespace.parameters.excludedResourcesš£
Type: list
[]
Default value (formatted)
[]
violations.noPrivilegedContainers.enabledš£
Type: bool
true
violations.noPrivilegedContainers.enforcementActionš£
Type: string
"deny"
violations.noPrivilegedContainers.kindš£
Type: string
"K8sPSPPrivilegedContainer2"
violations.noPrivilegedContainers.nameš£
Type: string
"no-privileged-containers"
violations.noPrivilegedContainers.matchš£
Type: object
{}
Default value (formatted)
{}
violations.noPrivilegedContainers.parameters.excludedResourcesš£
Type: list
[]
Default value (formatted)
[]
violations.noDefaultServiceAccount.enabledš£
Type: bool
true
violations.noDefaultServiceAccount.enforcementActionš£
Type: string
"dryrun"
violations.noDefaultServiceAccount.kindš£
Type: string
"K8sDenySADefault"
violations.noDefaultServiceAccount.nameš£
Type: string
"no-default-service-account"
violations.noDefaultServiceAccount.matchš£
Type: object
{}
Default value (formatted)
{}
violations.noDefaultServiceAccount.parameters.excludedResourcesš£
Type: list
[]
Default value (formatted)
[]
violations.noPrivilegedEscalation.enabledš£
Type: bool
true
violations.noPrivilegedEscalation.enforcementActionš£
Type: string
"dryrun"
violations.noPrivilegedEscalation.kindš£
Type: string
"K8sPSPAllowPrivilegeEscalationContainer2"
violations.noPrivilegedEscalation.nameš£
Type: string
"no-privileged-escalation"
violations.noPrivilegedEscalation.matchš£
Type: object
{}
Default value (formatted)
{}
violations.noPrivilegedEscalation.parameters.excludedResourcesš£
Type: list
[]
Default value (formatted)
[]
violations.noSysctls.enabledš£
Type: bool
true
violations.noSysctls.enforcementActionš£
Type: string
"deny"
violations.noSysctls.kindš£
Type: string
"K8sPSPForbiddenSysctls"
violations.noSysctls.nameš£
Type: string
"no-sysctls"
violations.noSysctls.matchš£
Type: object
{}
Default value (formatted)
{}
violations.noSysctls.parameters.forbiddenSysctls[0]š£
Type: string
"*"
violations.noSysctls.parameters.excludedResourcesš£
Type: list
[]
Default value (formatted)
[]
violations.podsHaveIstio.enabledš£
Type: bool
true
violations.podsHaveIstio.enforcementActionš£
Type: string
"dryrun"
violations.podsHaveIstio.kindš£
Type: string
"K8sNoAnnotationValues"
violations.podsHaveIstio.nameš£
Type: string
"pods-have-istio"
violations.podsHaveIstio.matchš£
Type: object
{}
Default value (formatted)
{}
violations.podsHaveIstio.parameters.annotations[0].disallowedRegexš£
Type: string
"^false"
violations.podsHaveIstio.parameters.annotations[0].keyš£
Type: string
"sidecar.istio.io/inject"
violations.podsHaveIstio.parameters.excludedResourcesš£
Type: list
[]
Default value (formatted)
[]
violations.readOnlyRoot.enabledš£
Type: bool
true
violations.readOnlyRoot.enforcementActionš£
Type: string
"dryrun"
violations.readOnlyRoot.kindš£
Type: string
"K8sPSPReadOnlyRootFilesystem2"
violations.readOnlyRoot.nameš£
Type: string
"read-only-root"
violations.readOnlyRoot.matchš£
Type: object
{}
Default value (formatted)
{}
violations.readOnlyRoot.parameters.excludedResourcesš£
Type: list
[]
Default value (formatted)
[]
violations.requiredLabels.enabledš£
Type: bool
true
violations.requiredLabels.enforcementActionš£
Type: string
"dryrun"
violations.requiredLabels.kindš£
Type: string
"K8sRequiredLabelValues"
violations.requiredLabels.nameš£
Type: string
"required-labels"
violations.requiredLabels.matchš£
Type: object
{}
Default value (formatted)
{}
violations.requiredLabels.parameters.labels[0].allowedRegexš£
Type: string
""
violations.requiredLabels.parameters.labels[0].keyš£
Type: string
"app.kubernetes.io/name"
violations.requiredLabels.parameters.labels[1].allowedRegexš£
Type: string
""
violations.requiredLabels.parameters.labels[1].keyš£
Type: string
"app.kubernetes.io/instance"
violations.requiredLabels.parameters.labels[2].allowedRegexš£
Type: string
""
violations.requiredLabels.parameters.labels[2].keyš£
Type: string
"app.kubernetes.io/version"
violations.requiredLabels.parameters.labels[3].allowedRegexš£
Type: string
""
violations.requiredLabels.parameters.labels[3].keyš£
Type: string
"app.kubernetes.io/component"
violations.requiredLabels.parameters.labels[4].allowedRegexš£
Type: string
""
violations.requiredLabels.parameters.labels[4].keyš£
Type: string
"app.kubernetes.io/part-of"
violations.requiredLabels.parameters.labels[5].allowedRegexš£
Type: string
""
violations.requiredLabels.parameters.labels[5].keyš£
Type: string
"app.kubernetes.io/managed-by"
violations.requiredLabels.parameters.excludedResourcesš£
Type: list
[]
Default value (formatted)
[]
violations.requiredProbes.enabledš£
Type: bool
true
violations.requiredProbes.enforcementActionš£
Type: string
"dryrun"
violations.requiredProbes.kindš£
Type: string
"K8sRequiredProbes"
violations.requiredProbes.nameš£
Type: string
"required-probes"
violations.requiredProbes.matchš£
Type: object
{}
Default value (formatted)
{}
violations.requiredProbes.parameters.probeTypes[0]š£
Type: string
"tcpSocket"
violations.requiredProbes.parameters.probeTypes[1]š£
Type: string
"httpGet"
violations.requiredProbes.parameters.probeTypes[2]š£
Type: string
"exec"
violations.requiredProbes.parameters.probes[0]š£
Type: string
"readinessProbe"
violations.requiredProbes.parameters.probes[1]š£
Type: string
"livenessProbe"
violations.requiredProbes.parameters.excludedResourcesš£
Type: list
[]
Default value (formatted)
[]
violations.restrictedTaint.enabledš£
Type: bool
true
violations.restrictedTaint.enforcementActionš£
Type: string
"deny"
violations.restrictedTaint.kindš£
Type: string
"RestrictedTaintToleration"
violations.restrictedTaint.nameš£
Type: string
"restricted-taint"
violations.restrictedTaint.matchš£
Type: object
{}
Default value (formatted)
{}
violations.restrictedTaint.parameters.allowGlobalTolerationš£
Type: bool
false
violations.restrictedTaint.parameters.restrictedTaint.effectš£
Type: string
"NoSchedule"
violations.restrictedTaint.parameters.restrictedTaint.keyš£
Type: string
"privileged"
violations.restrictedTaint.parameters.restrictedTaint.valueš£
Type: string
"true"
violations.restrictedTaint.parameters.excludedResourcesš£
Type: list
[]
Default value (formatted)
[]
violations.selinuxPolicy.enabledš£
Type: bool
true
violations.selinuxPolicy.enforcementActionš£
Type: string
"deny"
violations.selinuxPolicy.kindš£
Type: string
"K8sPSPSELinuxV2"
violations.selinuxPolicy.nameš£
Type: string
"selinux-policy"
violations.selinuxPolicy.matchš£
Type: object
{}
Default value (formatted)
{}
violations.selinuxPolicy.parameters.allowedSELinuxOptionsš£
Type: list
[]
Default value (formatted)
[]
violations.selinuxPolicy.parameters.excludedResourcesš£
Type: list
[]
Default value (formatted)
[]
violations.uniqueIngressHost.enabledš£
Type: bool
true
violations.uniqueIngressHost.enforcementActionš£
Type: string
"deny"
violations.uniqueIngressHost.kindš£
Type: string
"K8sUniqueIngressHost"
violations.uniqueIngressHost.nameš£
Type: string
"unique-ingress-hosts"
violations.uniqueIngressHost.matchš£
Type: object
{}
Default value (formatted)
{}
violations.uniqueIngressHost.parameters.excludedResourcesš£
Type: list
[]
Default value (formatted)
[]
violations.volumeTypes.enabledš£
Type: bool
true
violations.volumeTypes.enforcementActionš£
Type: string
"deny"
violations.volumeTypes.kindš£
Type: string
"K8sPSPVolumeTypes"
violations.volumeTypes.nameš£
Type: string
"volume-types"
violations.volumeTypes.matchš£
Type: object
{}
Default value (formatted)
{}
violations.volumeTypes.parameters.volumes[0]š£
Type: string
"configMap"
violations.volumeTypes.parameters.volumes[1]š£
Type: string
"emptyDir"
violations.volumeTypes.parameters.volumes[2]š£
Type: string
"projected"
violations.volumeTypes.parameters.volumes[3]š£
Type: string
"secret"
violations.volumeTypes.parameters.volumes[4]š£
Type: string
"downwardAPI"
violations.volumeTypes.parameters.volumes[5]š£
Type: string
"persistentVolumeClaim"
violations.volumeTypes.parameters.excludedResourcesš£
Type: list
[]
Default value (formatted)
[]
monitoring.enabledš£
Type: bool
false
networkPolicies.enabledš£
Type: bool
false
networkPolicies.controlPlaneCidrš£
Type: string
"0.0.0.0/0"
bbtests.enabledš£
Type: bool
false
bbtests.scripts.imageš£
Type: string
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.26.3"
bbtests.scripts.additionalVolumeMounts[0].nameš£
Type: string
"{{ .Chart.Name }}-test-config"
bbtests.scripts.additionalVolumeMounts[0].mountPathš£
Type: string
"/yaml"
bbtests.scripts.additionalVolumeMounts[1].nameš£
Type: string
"{{ .Chart.Name }}-kube-cache"
bbtests.scripts.additionalVolumeMounts[1].mountPathš£
Type: string
"/.kube/cache"
bbtests.scripts.additionalVolumes[0].nameš£
Type: string
"{{ .Chart.Name }}-test-config"
bbtests.scripts.additionalVolumes[0].configMap.nameš£
Type: string
"{{ .Chart.Name }}-test-config"
bbtests.scripts.additionalVolumes[1].nameš£
Type: string
"{{ .Chart.Name }}-kube-cache"
bbtests.scripts.additionalVolumes[1].emptyDirš£
Type: object
{}
Default value (formatted)
{}