kyverno-policies values.yaml
💣
enabled💣
Type: bool
true
Description: Enable policy deployments
validationFailureAction💣
Type: string
""
Description: Override all policies’ validation failure action with “Audit” or “Enforce”. If blank, uses policy setting.
failurePolicy💣
Type: string
"Fail"
Description: API server behavior if the webhook fails to respond (‘Ignore’, ‘Fail’) For more info: https://kyverno.io/docs/writing-policies/policy-settings/
background💣
Type: bool
true
Description: Policies background mode
kyvernoVersion💣
Type: string
"autodetect"
Description: Kyverno version The default of “autodetect” will try to determine the currently installed version from the deployment
webhookTimeoutSeconds💣
Type: int
30
Description: Override all policies’ time to wait for admission webhook to respond. If blank, uses policy setting or default (10). Range is 1 to 30.
exclude💣
Type: object
{}
Default value (formatted)
{}
Description: Adds an exclusion to all policies. This is merged with any policy-specific excludes. See https://kyverno.io/docs/writing-policies/match-exclude for fields.
excludeContainers💣
Type: list
[]
Default value (formatted)
[]
Description: Adds an excludeContainers to all policies. This is merged with any policy-specific excludeContainers.
customLabels💣
Type: object
{}
Default value (formatted)
{}
Description: Additional labels to apply to all policies.
policyPreconditions💣
Type: object
{}
Default value (formatted)
{}
Description: Add preconditions to individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the policyPreconditions
map.
waitforready.enabled💣
Type: bool
true
Description: Controls wait for ready deployment
waitforready.image💣
Type: object
{"repository":"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl","tag":"1.27.3"}
Default value (formatted)
{
"repository": "registry1.dso.mil/ironbank/opensource/kubernetes/kubectl",
"tag": "1.27.3"
}
Description: Image to use in wait for ready job. This must contain kubectl.
waitforready.imagePullSecrets💣
Type: list
[]
Default value (formatted)
[]
Description: Pull secret for wait for ready job
policies.sample💣
Type: object
{"enabled":false,"exclude":{},"match":{},"parameters":{"excludeContainers":[]},"validationFailureAction":"Audit","webhookTimeoutSeconds":""}
Default value (formatted)
{
"enabled": false,
"exclude": {},
"match": {},
"parameters": {
"excludeContainers": []
},
"validationFailureAction": "Audit",
"webhookTimeoutSeconds": ""
}
Description: Sample policy showing values that can be added to any policy
policies.sample.enabled💣
Type: bool
false
Description: Controls policy deployment
policies.sample.validationFailureAction💣
Type: string
"Audit"
Description: Controls if a validation policy rule failure should disallow (Enforce) or allow (Audit) the admission
policies.sample.webhookTimeoutSeconds💣
Type: string
""
Description: Specifies the maximum time in seconds allowed to apply this policy. Default is 10. Range is 1 to 30.
policies.sample.match💣
Type: object
{}
Default value (formatted)
{}
Description: Defines when this policy’s rules should be applied. This completely overrides any default matches.
policies.sample.exclude💣
Type: object
{}
Default value (formatted)
{}
Description: Defines when this policy’s rules should not be applied. This completely overrides any default excludes.
policies.sample.parameters💣
Type: object
{"excludeContainers":[]}
Default value (formatted)
{
"excludeContainers": []
}
Description: Policy specific parameters that are added to the configMap for the policy rules
policies.sample.parameters.excludeContainers💣
Type: list
[]
Default value (formatted)
[]
Description: Adds a container exclusion (by name) to a specific policy. This is merged with any global excludeContainers.
policies.clone-configs💣
Type: object
{"enabled":false,"parameters":{"clone":[]}}
Default value (formatted)
{
"enabled": false,
"parameters": {
"clone": []
}
}
Description: Clone existing configMap or secret in new Namespaces
policies.clone-configs.parameters.clone💣
Type: list
[]
Default value (formatted)
[]
Description: ConfigMap or Secrets that should be cloned. Each item requres the kind, name, and namespace of the resource to clone
policies.disallow-annotations💣
Type: object
{"enabled":false,"parameters":{"disallow":[]},"validationFailureAction":"Audit"}
Default value (formatted)
{
"enabled": false,
"parameters": {
"disallow": []
},
"validationFailureAction": "Audit"
}
Description: Prevent specified annotations on pods
policies.disallow-annotations.parameters.disallow💣
Type: list
[]
Default value (formatted)
[]
Description: List of annotations disallowed on pods. Entries can be just a “key”, or a quoted “key: value”. Wildcards ‘*’ and ‘?’ are supported.
policies.disallow-deprecated-apis💣
Type: object
{"enabled":false,"validationFailureAction":"Audit"}
Default value (formatted)
{
"enabled": false,
"validationFailureAction": "Audit"
}
Description: Prevent resources that use deprecated or removed APIs (through Kubernetes 1.26)
policies.disallow-host-namespaces💣
Type: object
{"enabled":true,"validationFailureAction":"Enforce"}
Default value (formatted)
{
"enabled": true,
"validationFailureAction": "Enforce"
}
Description: Prevent use of the host namespace (PID, IPC, Network) by pods
policies.disallow-image-tags💣
Type: object
{"enabled":false,"parameters":{"disallow":["latest"]},"validationFailureAction":"Audit"}
Default value (formatted)
{
"enabled": false,
"parameters": {
"disallow": [
"latest"
]
},
"validationFailureAction": "Audit"
}
Description: Prevent container images with specified tags. Also, requires images to have a tag.
policies.disallow-istio-injection-bypass💣
Type: object
{"enabled":false,"validationFailureAction":"Audit"}
Default value (formatted)
{
"enabled": false,
"validationFailureAction": "Audit"
}
Description: Prevent the sidecar.istio.io/inject: false
label on pods.
policies.disallow-labels💣
Type: object
{"enabled":false,"parameters":{"disallow":[]},"validationFailureAction":"Audit"}
Default value (formatted)
{
"enabled": false,
"parameters": {
"disallow": []
},
"validationFailureAction": "Audit"
}
Description: Prevent specified labels on pods
policies.disallow-labels.parameters.disallow💣
Type: list
[]
Default value (formatted)
[]
Description: List of labels disallowed on pods. Entries can be just a “key”, or a quoted “key: value”. Wildcards ‘*’ and ‘?’ are supported.
policies.disallow-namespaces💣
Type: object
{"enabled":false,"parameters":{"disallow":["default"]},"validationFailureAction":"Audit"}
Default value (formatted)
{
"enabled": false,
"parameters": {
"disallow": [
"default"
]
},
"validationFailureAction": "Audit"
}
Description: Prevent pods from using the listed namespaces
policies.disallow-namespaces.parameters.disallow💣
Type: list
["default"]
Default value (formatted)
[
"default"
]
Description: List of namespaces to deny pod deployment
policies.disallow-nodeport-services💣
Type: object
{"enabled":true,"validationFailureAction":"Audit"}
Default value (formatted)
{
"enabled": true,
"validationFailureAction": "Audit"
}
Description: Prevent services of the type NodePort
policies.disallow-pod-exec💣
Type: object
{"enabled":false,"validationFailureAction":"Audit"}
Default value (formatted)
{
"enabled": false,
"validationFailureAction": "Audit"
}
Description: Prevent the use of exec
or attach
on pods
policies.disallow-privilege-escalation💣
Type: object
{"enabled":true,"validationFailureAction":"Enforce"}
Default value (formatted)
{
"enabled": true,
"validationFailureAction": "Enforce"
}
Description: Prevent privilege escalation on pods
policies.disallow-privileged-containers💣
Type: object
{"enabled":true,"validationFailureAction":"Enforce"}
Default value (formatted)
{
"enabled": true,
"validationFailureAction": "Enforce"
}
Description: Prevent containers that run as privileged
policies.disallow-selinux-options💣
Type: object
{"enabled":true,"parameters":{"disallow":["user","role"]},"validationFailureAction":"Enforce"}
Default value (formatted)
{
"enabled": true,
"parameters": {
"disallow": [
"user",
"role"
]
},
"validationFailureAction": "Enforce"
}
Description: Prevent specified SELinux options from being used on pods.
policies.disallow-selinux-options.parameters.disallow💣
Type: list
["user","role"]
Default value (formatted)
[
"user",
"role"
]
Description: List of selinux options that are not allowed. Valid values include level
, role
, type
, and user
. Defaults pulled from https://kubernetes.io/docs/concepts/security/pod-security-standards
policies.disallow-tolerations💣
Type: object
{"enabled":false,"parameters":{"disallow":[{"key":"node-role.kubernetes.io/master"}]},"validationFailureAction":"Audit"}
Default value (formatted)
{
"enabled": false,
"parameters": {
"disallow": [
{
"key": "node-role.kubernetes.io/master"
}
]
},
"validationFailureAction": "Audit"
}
Description: Prevent tolerations that bypass specified taints
policies.disallow-tolerations.parameters.disallow💣
Type: list
[{"key":"node-role.kubernetes.io/master"}]
Default value (formatted)
[
{
"key": "node-role.kubernetes.io/master"
}
]
Description: List of taints to protect from toleration. Each entry can have key
, value
, and/or effect
. Wildcards ‘*’ and ‘?’ can be used If key, value, or effect are not defined, they are ignored in the policy rule
policies.disallow-rbac-on-default-serviceaccounts💣
Type: object
{"enabled":false,"exclude":{"any":[{"resources":{"name":"system:service-account-issuer-discovery"}}]},"validationFailureAction":"Audit"}
Default value (formatted)
{
"enabled": false,
"exclude": {
"any": [
{
"resources": {
"name": "system:service-account-issuer-discovery"
}
}
]
},
"validationFailureAction": "Audit"
}
Description: Prevent additional RBAC permissions on default service accounts
policies.require-annotations💣
Type: object
{"enabled":false,"parameters":{"require":[]},"validationFailureAction":"Audit"}
Default value (formatted)
{
"enabled": false,
"parameters": {
"require": []
},
"validationFailureAction": "Audit"
}
Description: Require specified annotations on all pods
policies.require-annotations.parameters.require💣
Type: list
[]
Default value (formatted)
[]
Description: List of annotations required on all pods. Entries can be just a “key”, or a quoted “key: value”. Wildcards ‘*’ and ‘?’ are supported.
policies.require-cpu-limit💣
Type: object
{"enabled":false,"parameters":{"require":["<10"]},"validationFailureAction":"Audit"}
Default value (formatted)
{
"enabled": false,
"parameters": {
"require": [
"<10"
]
},
"validationFailureAction": "Audit"
}
Description: Require containers have CPU limits defined and within the specified range
policies.require-drop-all-capabilities💣
Type: object
{"enabled":true,"validationFailureAction":"Enforce"}
Default value (formatted)
{
"enabled": true,
"validationFailureAction": "Enforce"
}
Description: Requires containers to drop all Linux capabilities
policies.require-image-signature💣
Type: object
{"enabled":true,"parameters":{"require":[{"attestors":[{"count":1,"entries":[{"keys":{"publicKeys":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7CjMGH005DFFz6mffqTIGurBt6fL\nUfTZxuEDFRBS8mFJx1xw8DEVvjMibLTtqmAoJxUmzmGFgzz+LV875syVEg==\n-----END PUBLIC KEY-----"}}]}],"imageReferences":["registry1.dso.mil/ironbank/*"],"mutateDigest":false,"verifyDigest":false}]},"validationFailureAction":"Enforce"}
Default value (formatted)
{
"enabled": true,
"parameters": {
"require": [
{
"attestors": [
{
"count": 1,
"entries": [
{
"keys": {
"publicKeys": "-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7CjMGH005DFFz6mffqTIGurBt6fL
UfTZxuEDFRBS8mFJx1xw8DEVvjMibLTtqmAoJxUmzmGFgzz+LV875syVEg==
-----END PUBLIC KEY-----"
}
}
]
}
],
"imageReferences": [
"registry1.dso.mil/ironbank/*"
],
"mutateDigest": false,
"verifyDigest": false
}
]
},
"validationFailureAction": "Enforce"
}
Description: Require specified images to be signed and verified
policies.require-image-signature.parameters.require💣
Type: list
[{"attestors":[{"count":1,"entries":[{"keys":{"publicKeys":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7CjMGH005DFFz6mffqTIGurBt6fL\nUfTZxuEDFRBS8mFJx1xw8DEVvjMibLTtqmAoJxUmzmGFgzz+LV875syVEg==\n-----END PUBLIC KEY-----"}}]}],"imageReferences":["registry1.dso.mil/ironbank/*"],"mutateDigest":false,"verifyDigest":false}]
Default value (formatted)
[
{
"attestors": [
{
"count": 1,
"entries": [
{
"keys": {
"publicKeys": "-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7CjMGH005DFFz6mffqTIGurBt6fL
UfTZxuEDFRBS8mFJx1xw8DEVvjMibLTtqmAoJxUmzmGFgzz+LV875syVEg==
-----END PUBLIC KEY-----"
}
}
]
}
],
"imageReferences": [
"registry1.dso.mil/ironbank/*"
],
"mutateDigest": false,
"verifyDigest": false
}
]
Description: List of images that must be signed and the public key to verify. Use kubectl explain clusterpolicy.spec.rules.verifyImages
for fields.
policies.require-istio-on-namespaces💣
Type: object
{"enabled":false,"validationFailureAction":"Audit"}
Default value (formatted)
{
"enabled": false,
"validationFailureAction": "Audit"
}
Description: Require Istio sidecar injection label on namespaces
policies.require-labels💣
Type: object
{"enabled":false,"parameters":{"require":["app.kubernetes.io/name","app.kubernetes.io/instance","app.kubernetes.io/version"]},"validationFailureAction":"Audit"}
Default value (formatted)
{
"enabled": false,
"parameters": {
"require": [
"app.kubernetes.io/name",
"app.kubernetes.io/instance",
"app.kubernetes.io/version"
]
},
"validationFailureAction": "Audit"
}
Description: Require specified labels to be on all pods
policies.require-labels.parameters.require💣
Type: list
["app.kubernetes.io/name","app.kubernetes.io/instance","app.kubernetes.io/version"]
Default value (formatted)
[
"app.kubernetes.io/name",
"app.kubernetes.io/instance",
"app.kubernetes.io/version"
]
Description: List of labels required on all pods. Entries can be just a “key”, or a quoted “key: value”. Wildcards ‘*’ and ‘?’ are supported. See https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/#labels See https://helm.sh/docs/chart_best_practices/labels/#standard-labels
policies.require-memory-limit💣
Type: object
{"enabled":false,"parameters":{"require":["<64Gi"]},"validationFailureAction":"Audit"}
Default value (formatted)
{
"enabled": false,
"parameters": {
"require": [
"<64Gi"
]
},
"validationFailureAction": "Audit"
}
Description: Require containers have memory limits defined and within the specified range
policies.require-non-root-group💣
Type: object
{"enabled":true,"validationFailureAction":"Enforce"}
Default value (formatted)
{
"enabled": true,
"validationFailureAction": "Enforce"
}
Description: Require containers to run with non-root group
policies.require-non-root-user💣
Type: object
{"enabled":true,"validationFailureAction":"Enforce"}
Default value (formatted)
{
"enabled": true,
"validationFailureAction": "Enforce"
}
Description: Require containers to run as non-root user
policies.require-probes💣
Type: object
{"enabled":false,"parameters":{"require":["readinessProbe","livenessProbe"]},"validationFailureAction":"Audit"}
Default value (formatted)
{
"enabled": false,
"parameters": {
"require": [
"readinessProbe",
"livenessProbe"
]
},
"validationFailureAction": "Audit"
}
Description: Require specified probes on pods
policies.require-probes.parameters.require💣
Type: list
["readinessProbe","livenessProbe"]
Default value (formatted)
[
"readinessProbe",
"livenessProbe"
]
Description: List of probes that are required on pods. Valid values are readinessProbe
, livenessProbe
, and startupProbe
.
policies.require-requests-equal-limits💣
Type: object
{"enabled":false,"validationFailureAction":"Audit"}
Default value (formatted)
{
"enabled": false,
"validationFailureAction": "Audit"
}
Description: Require CPU and memory requests equal limits for guaranteed quality of service
policies.require-ro-rootfs💣
Type: object
{"enabled":false,"validationFailureAction":"Audit"}
Default value (formatted)
{
"enabled": false,
"validationFailureAction": "Audit"
}
Description: Require containers set root filesystem to read-only
policies.restrict-apparmor💣
Type: object
{"enabled":true,"parameters":{"allow":["runtime/default","localhost/*"]},"validationFailureAction":"Enforce"}
Default value (formatted)
{
"enabled": true,
"parameters": {
"allow": [
"runtime/default",
"localhost/*"
]
},
"validationFailureAction": "Enforce"
}
Description: Restricts pods that use AppArmor to specified profiles
policies.restrict-apparmor.parameters.allow💣
Type: list
["runtime/default","localhost/*"]
Default value (formatted)
[
"runtime/default",
"localhost/*"
]
Description: List of allowed AppArmor profiles Defaults pulled from https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline
policies.restrict-external-ips💣
Type: object
{"enabled":true,"parameters":{"allow":[]},"validationFailureAction":"Enforce"}
Default value (formatted)
{
"enabled": true,
"parameters": {
"allow": []
},
"validationFailureAction": "Enforce"
}
Description: Restrict services with External IPs to a specified list (CVE-2020-8554)
policies.restrict-external-ips.parameters.allow💣
Type: list
[]
Default value (formatted)
[]
Description: List of external IPs allowed in services. Must be an IP address. Use the wildcard ?*
to support subnets (e.g. 192.168.0.?*
)
policies.restrict-external-names💣
Type: object
{"enabled":true,"parameters":{"allow":[]},"validationFailureAction":"Enforce"}
Default value (formatted)
{
"enabled": true,
"parameters": {
"allow": []
},
"validationFailureAction": "Enforce"
}
Description: Restrict services with External Names to a specified list (CVE-2020-8554)
policies.restrict-external-names.parameters.allow💣
Type: list
[]
Default value (formatted)
[]
Description: List of external names allowed in services. Must be a lowercase RFC-1123 hostname.
policies.restrict-capabilities💣
Type: object
{"enabled":true,"parameters":{"allow":["NET_BIND_SERVICE"]},"validationFailureAction":"Enforce"}
Default value (formatted)
{
"enabled": true,
"parameters": {
"allow": [
"NET_BIND_SERVICE"
]
},
"validationFailureAction": "Enforce"
}
Description: Restrict Linux capabilities added to containers to the specified list
policies.restrict-capabilities.parameters.allow💣
Type: list
["NET_BIND_SERVICE"]
Default value (formatted)
[
"NET_BIND_SERVICE"
]
Description: List of capabilities that are allowed to be added Defaults pulled from https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted See https://man7.org/linux/man-pages/man7/capabilities.7.html for list of capabilities. The CAP_
prefix is removed in Kubernetes names.
policies.restrict-group-id💣
Type: object
{"enabled":false,"parameters":{"allow":[">=1000"]},"validationFailureAction":"Audit"}
Default value (formatted)
{
"enabled": false,
"parameters": {
"allow": [
">=1000"
]
},
"validationFailureAction": "Audit"
}
Description: Restrict container group IDs to specified ranges NOTE: Using require-non-root-group will force runAsGroup to be defined
policies.restrict-host-path-mount💣
Type: object
{"enabled":true,"parameters":{"allow":[]},"validationFailureAction":"Audit"}
Default value (formatted)
{
"enabled": true,
"parameters": {
"allow": []
},
"validationFailureAction": "Audit"
}
Description: Restrict the paths that can be mounted by hostPath volumes to the allowed list. HostPath volumes are normally disallowed. If exceptions are made, the path(s) should be restricted.
policies.restrict-host-path-mount.parameters.allow💣
Type: list
[]
Default value (formatted)
[]
Description: List of allowed paths for hostPath volumes to mount
policies.restrict-host-path-mount-pv.enabled💣
Type: bool
true
policies.restrict-host-path-mount-pv.validationFailureAction💣
Type: string
"Audit"
policies.restrict-host-path-mount-pv.parameters.allow💣
Type: list
[]
Default value (formatted)
[]
Description: List of allowed paths for hostPath volumes to mount
policies.restrict-host-path-write💣
Type: object
{"enabled":true,"parameters":{"allow":[]},"validationFailureAction":"Audit"}
Default value (formatted)
{
"enabled": true,
"parameters": {
"allow": []
},
"validationFailureAction": "Audit"
}
Description: Restrict the paths that can be mounted as read/write by hostPath volumes to the allowed list. HostPath volumes, if allowed, should normally be mounted as read-only. If exceptions are made, the path(s) should be restricted.
policies.restrict-host-path-write.parameters.allow💣
Type: list
[]
Default value (formatted)
[]
Description: List of allowed paths for hostPath volumes to mount as read/write
policies.restrict-host-ports💣
Type: object
{"enabled":true,"parameters":{"allow":[]},"validationFailureAction":"Enforce"}
Default value (formatted)
{
"enabled": true,
"parameters": {
"allow": []
},
"validationFailureAction": "Enforce"
}
Description: Restrict host ports in containers to the specified list
policies.restrict-host-ports.parameters.allow💣
Type: list
[]
Default value (formatted)
[]
Description: List of allowed host ports
policies.restrict-image-registries💣
Type: object
{"enabled":true,"parameters":{"allow":["registry1.dso.mil"]},"validationFailureAction":"Audit"}
Default value (formatted)
{
"enabled": true,
"parameters": {
"allow": [
"registry1.dso.mil"
]
},
"validationFailureAction": "Audit"
}
Description: Restricts container images to registries in the specified list
policies.restrict-image-registries.parameters.allow💣
Type: list
["registry1.dso.mil"]
Default value (formatted)
[
"registry1.dso.mil"
]
Description: List of allowed registries that images may use
policies.restrict-proc-mount💣
Type: object
{"enabled":true,"parameters":{"allow":["Default"]},"validationFailureAction":"Enforce"}
Default value (formatted)
{
"enabled": true,
"parameters": {
"allow": [
"Default"
]
},
"validationFailureAction": "Enforce"
}
Description: Restrict mounting /proc to the specified mask
policies.restrict-proc-mount.parameters.allow💣
Type: list
["Default"]
Default value (formatted)
[
"Default"
]
Description: List of allowed proc mount values. Valid values are Default
and Unmasked
. Defaults pulled from https://kubernetes.io/docs/concepts/security/pod-security-standards
policies.restrict-seccomp💣
Type: object
{"enabled":true,"parameters":{"allow":["RuntimeDefault","Localhost"]},"validationFailureAction":"Enforce"}
Default value (formatted)
{
"enabled": true,
"parameters": {
"allow": [
"RuntimeDefault",
"Localhost"
]
},
"validationFailureAction": "Enforce"
}
Description: Restrict seccomp profiles to the specified list
policies.restrict-seccomp.parameters.allow💣
Type: list
["RuntimeDefault","Localhost"]
Default value (formatted)
[
"RuntimeDefault",
"Localhost"
]
Description: List of allowed seccomp profiles. Valid values are Localhost
, RuntimeDefault
, and Unconfined
Defaults pulled from https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
policies.restrict-selinux-type💣
Type: object
{"enabled":true,"parameters":{"allow":["container_t","container_init_t","container_kvm_t"]},"validationFailureAction":"Enforce"}
Default value (formatted)
{
"enabled": true,
"parameters": {
"allow": [
"container_t",
"container_init_t",
"container_kvm_t"
]
},
"validationFailureAction": "Enforce"
}
Description: Restrict SELinux types to the specified list.
policies.restrict-selinux-type.parameters.allow💣
Type: list
["container_t","container_init_t","container_kvm_t"]
Default value (formatted)
[
"container_t",
"container_init_t",
"container_kvm_t"
]
Description: List of allowed values for the type
field Defaults pulled from https://kubernetes.io/docs/concepts/security/pod-security-standards
policies.restrict-sysctls💣
Type: object
{"enabled":true,"parameters":{"allow":["kernel.shm_rmid_forced","net.ipv4.ip_local_port_range","net.ipv4.ip_unprivileged_port_start","net.ipv4.tcp_syncookies","net.ipv4.ping_group_range"]},"validationFailureAction":"Enforce"}
Default value (formatted)
{
"enabled": true,
"parameters": {
"allow": [
"kernel.shm_rmid_forced",
"net.ipv4.ip_local_port_range",
"net.ipv4.ip_unprivileged_port_start",
"net.ipv4.tcp_syncookies",
"net.ipv4.ping_group_range"
]
},
"validationFailureAction": "Enforce"
}
Description: Restrict sysctls to the specified list
policies.restrict-sysctls.parameters.allow💣
Type: list
["kernel.shm_rmid_forced","net.ipv4.ip_local_port_range","net.ipv4.ip_unprivileged_port_start","net.ipv4.tcp_syncookies","net.ipv4.ping_group_range"]
Default value (formatted)
[
"kernel.shm_rmid_forced",
"net.ipv4.ip_local_port_range",
"net.ipv4.ip_unprivileged_port_start",
"net.ipv4.tcp_syncookies",
"net.ipv4.ping_group_range"
]
Description: List of allowed sysctls. Defaults pulled from https://kubernetes.io/docs/concepts/security/pod-security-standards
policies.restrict-user-id💣
Type: object
{"enabled":false,"parameters":{"allow":[">=1000"]},"validationFailureAction":"Audit"}
Default value (formatted)
{
"enabled": false,
"parameters": {
"allow": [
">=1000"
]
},
"validationFailureAction": "Audit"
}
Description: Restrict user IDs to the specified ranges NOTE: Using require-non-root-user will force runAsUser to be defined
policies.restrict-volume-types💣
Type: object
{"enabled":true,"parameters":{"allow":["configMap","csi","downwardAPI","emptyDir","ephemeral","persistentVolumeClaim","projected","secret"]},"validationFailureAction":"Enforce"}
Default value (formatted)
{
"enabled": true,
"parameters": {
"allow": [
"configMap",
"csi",
"downwardAPI",
"emptyDir",
"ephemeral",
"persistentVolumeClaim",
"projected",
"secret"
]
},
"validationFailureAction": "Enforce"
}
Description: Restrict the volume types to the specified list
policies.restrict-volume-types.parameters.allow💣
Type: list
["configMap","csi","downwardAPI","emptyDir","ephemeral","persistentVolumeClaim","projected","secret"]
Default value (formatted)
[
"configMap",
"csi",
"downwardAPI",
"emptyDir",
"ephemeral",
"persistentVolumeClaim",
"projected",
"secret"
]
Description: List of allowed Volume types. Valid values are the volume types listed here: https://kubernetes.io/docs/concepts/storage/volumes/#volume-types Defaults pulled from https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
policies.update-image-pull-policy💣
Type: object
{"enabled":false,"parameters":{"update":[{"to":"Always"}]}}
Default value (formatted)
{
"enabled": false,
"parameters": {
"update": [
{
"to": "Always"
}
]
}
}
Description: Updates the image pull policy on containers
policies.update-image-pull-policy.parameters.update💣
Type: list
[{"to":"Always"}]
Default value (formatted)
[
{
"to": "Always"
}
]
Description: List of image pull policy updates. from
contains the pull policy value to replace. If from
is blank, it matches everything. to
contains the new pull policy to use. Must be one of Always
, Never
, or IfNotPresent
.
policies.update-image-registry💣
Type: object
{"enabled":false,"parameters":{"update":[]}}
Default value (formatted)
{
"enabled": false,
"parameters": {
"update": []
}
}
Description: Updates an existing image registry with a new registry in containers (e.g. proxy)
policies.update-image-registry.parameters.update💣
Type: list
[]
Default value (formatted)
[]
Description: List of registry updates. from
contains the registry to replace. to
contains the new registry to use.
policies.update-token-automount💣
Type: object
{"enabled":false}
Default value (formatted)
{
"enabled": false
}
Description: Updates automount token on default service accounts to false
additionalPolicies💣
Type: object
{"samplePolicy":{"annotations":{"policies.kyverno.io/category":"Examples","policies.kyverno.io/description":"This sample policy blocks pods from deploying into the 'default' namespace.","policies.kyverno.io/severity":"low","policies.kyverno.io/subject":"Pod","policies.kyverno.io/title":"Sample Policy"},"enabled":false,"kind":"ClusterPolicy","namespace":"","spec":{"rules":[{"match":{"any":[{"resources":{"kinds":["Pods"]}}]},"name":"sample-rule","validate":{"message":"Using 'default' namespace is not allowed.","pattern":{"metadata":{"namespace":"!default"}}}}]}}}
Default value (formatted)
{
"samplePolicy": {
"annotations": {
"policies.kyverno.io/category": "Examples",
"policies.kyverno.io/description": "This sample policy blocks pods from deploying into the 'default' namespace.",
"policies.kyverno.io/severity": "low",
"policies.kyverno.io/subject": "Pod",
"policies.kyverno.io/title": "Sample Policy"
},
"enabled": false,
"kind": "ClusterPolicy",
"namespace": "",
"spec": {
"rules": [
{
"match": {
"any": [
{
"resources": {
"kinds": [
"Pods"
]
}
}
]
},
"name": "sample-rule",
"validate": {
"message": "Using 'default' namespace is not allowed.",
"pattern": {
"metadata": {
"namespace": "!default"
}
}
}
}
]
}
}
}
Description: Adds custom policies. See https://kyverno.io/docs/writing-policies/.
additionalPolicies.samplePolicy💣
Type: object
{"annotations":{"policies.kyverno.io/category":"Examples","policies.kyverno.io/description":"This sample policy blocks pods from deploying into the 'default' namespace.","policies.kyverno.io/severity":"low","policies.kyverno.io/subject":"Pod","policies.kyverno.io/title":"Sample Policy"},"enabled":false,"kind":"ClusterPolicy","namespace":"","spec":{"rules":[{"match":{"any":[{"resources":{"kinds":["Pods"]}}]},"name":"sample-rule","validate":{"message":"Using 'default' namespace is not allowed.","pattern":{"metadata":{"namespace":"!default"}}}}]}}
Default value (formatted)
{
"annotations": {
"policies.kyverno.io/category": "Examples",
"policies.kyverno.io/description": "This sample policy blocks pods from deploying into the 'default' namespace.",
"policies.kyverno.io/severity": "low",
"policies.kyverno.io/subject": "Pod",
"policies.kyverno.io/title": "Sample Policy"
},
"enabled": false,
"kind": "ClusterPolicy",
"namespace": "",
"spec": {
"rules": [
{
"match": {
"any": [
{
"resources": {
"kinds": [
"Pods"
]
}
}
]
},
"name": "sample-rule",
"validate": {
"message": "Using 'default' namespace is not allowed.",
"pattern": {
"metadata": {
"namespace": "!default"
}
}
}
}
]
}
}
Description: Name of the policy. Addtional policies can be added by adding a key.
additionalPolicies.samplePolicy.enabled💣
Type: bool
false
Description: Controls policy deployment
additionalPolicies.samplePolicy.kind💣
Type: string
"ClusterPolicy"
Description: Kind of policy. Currently, “ClusterPolicy” and “Policy” are supported.
additionalPolicies.samplePolicy.namespace💣
Type: string
""
Description: If kind is “Policy”, which namespace to target. The namespace must already exist.
additionalPolicies.samplePolicy.annotations💣
Type: object
{"policies.kyverno.io/category":"Examples","policies.kyverno.io/description":"This sample policy blocks pods from deploying into the 'default' namespace.","policies.kyverno.io/severity":"low","policies.kyverno.io/subject":"Pod","policies.kyverno.io/title":"Sample Policy"}
Default value (formatted)
{
"policies.kyverno.io/category": "Examples",
"policies.kyverno.io/description": "This sample policy blocks pods from deploying into the 'default' namespace.",
"policies.kyverno.io/severity": "low",
"policies.kyverno.io/subject": "Pod",
"policies.kyverno.io/title": "Sample Policy"
}
Description: Policy annotations to add
additionalPolicies.samplePolicy.annotations.”policies.kyverno.io/title”💣
Type: string
"Sample Policy"
Description: Human readable name of policy
additionalPolicies.samplePolicy.annotations.”policies.kyverno.io/category”💣
Type: string
"Examples"
Description: Category of policy. Arbitrary.
additionalPolicies.samplePolicy.annotations.”policies.kyverno.io/severity”💣
Type: string
"low"
Description: Severity of policy if a violation occurs. Choose “critical”, “high”, “medium”, “low”.
additionalPolicies.samplePolicy.annotations.”policies.kyverno.io/subject”💣
Type: string
"Pod"
Description: Type of resource policy applies to (e.g. Pod, Service, Namespace)
additionalPolicies.samplePolicy.annotations.”policies.kyverno.io/description”💣
Type: string
"This sample policy blocks pods from deploying into the 'default' namespace."
Description: Description of what the policy does, why it is important, and what items are allowed or unallowed.
additionalPolicies.samplePolicy.spec💣
Type: object
{"rules":[{"match":{"any":[{"resources":{"kinds":["Pods"]}}]},"name":"sample-rule","validate":{"message":"Using 'default' namespace is not allowed.","pattern":{"metadata":{"namespace":"!default"}}}}]}
Default value (formatted)
{
"rules": [
{
"match": {
"any": [
{
"resources": {
"kinds": [
"Pods"
]
}
}
]
},
"name": "sample-rule",
"validate": {
"message": "Using 'default' namespace is not allowed.",
"pattern": {
"metadata": {
"namespace": "!default"
}
}
}
}
]
}
Description: Policy specification. See kubectl explain clusterpolicies.spec
additionalPolicies.samplePolicy.spec.rules💣
Type: list
[{"match":{"any":[{"resources":{"kinds":["Pods"]}}]},"name":"sample-rule","validate":{"message":"Using 'default' namespace is not allowed.","pattern":{"metadata":{"namespace":"!default"}}}}]
Default value (formatted)
[
{
"match": {
"any": [
{
"resources": {
"kinds": [
"Pods"
]
}
}
]
},
"name": "sample-rule",
"validate": {
"message": "Using 'default' namespace is not allowed.",
"pattern": {
"metadata": {
"namespace": "!default"
}
}
}
}
]
Description: Policy rules. At least one is required
bbtests💣
Type: object
{"enabled":false,"imagePullSecret":"private-registry","scripts":{"additionalVolumeMounts":[{"mountPath":"/yaml","name":"kyverno-policies-bbtest-manifests"},{"mountPath":"/.kube/cache","name":"kyverno-policies-bbtest-kube-cache"}],"additionalVolumes":[{"configMap":{"name":"kyverno-policies-bbtest-manifests"},"name":"kyverno-policies-bbtest-manifests"},{"emptyDir":{},"name":"kyverno-policies-bbtest-kube-cache"}],"envs":{"ENABLED_POLICIES":"{{ $p := list }}{{ range $k, $v := .Values.policies }}{{ if $v.enabled }}{{ $p = append $p $k }}{{ end }}{{ end }}{{ join \" \" $p }}","IMAGE_PULL_SECRET":"{{ .Values.bbtests.imagePullSecret }}"},"image":"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:1.27.3"}}
Default value (formatted)
{
"enabled": false,
"imagePullSecret": "private-registry",
"scripts": {
"additionalVolumeMounts": [
{
"mountPath": "/yaml",
"name": "kyverno-policies-bbtest-manifests"
},
{
"mountPath": "/.kube/cache",
"name": "kyverno-policies-bbtest-kube-cache"
}
],
"additionalVolumes": [
{
"configMap": {
"name": "kyverno-policies-bbtest-manifests"
},
"name": "kyverno-policies-bbtest-manifests"
},
{
"emptyDir": {},
"name": "kyverno-policies-bbtest-kube-cache"
}
],
"envs": {
"ENABLED_POLICIES": "{{ $p := list }}{{ range $k, $v := .Values.policies }}{{ if $v.enabled }}{{ $p = append $p $k }}{{ end }}{{ end }}{{ join \" \" $p }}",
"IMAGE_PULL_SECRET": "{{ .Values.bbtests.imagePullSecret }}"
},
"image": "registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:1.27.3"
}
}
Description: Reserved values for Big Bang test automation