kyverno values.yaml💣
templating💣
Type: object
{"debug":false,"enabled":false,"version":null}
Default value (formatted)
{
"debug": false,
"enabled": false,
"version": null
}
Description: Internal settings used with helm template to generate install manifest @ignored
nameOverride💣
Type: string
nil
Description: Override the name of the chart
fullnameOverride💣
Type: string
nil
Description: Override the expanded name of the chart
namespaceOverride💣
Type: string
nil
Description: Override the namespace the chart deploys to
upgrade.fromV2💣
Type: bool
true
Description: Upgrading from v2 to v3 is not allowed by default, set this to true once changes have been reviewed.
apiVersionOverride.podDisruptionBudget💣
Type: string
"policy/v1"
Description: (string) Override api version used to create PodDisruptionBudget`` resources. When not specified the chart will check ifpolicy/v1/PodDisruptionBudget` is available to determine the api version automatically.
crds.install💣
Type: bool
true
Description: Whether to have Helm install the Kyverno CRDs, if the CRDs are not installed by Helm, they must be added before policies can be created
crds.annotations💣
Type: object
{}
Default value (formatted)
{}
Description: Additional CRDs annotations
config.create💣
Type: bool
true
Description: Create the configmap.
config.name💣
Type: string
nil
Description: The configmap name (required if create is false).
config.annotations💣
Type: object
{}
Default value (formatted)
{}
Description: Additional annotations to add to the configmap.
config.enableDefaultRegistryMutation💣
Type: bool
true
Description: Enable registry mutation for container images. Enabled by default.
config.defaultRegistry💣
Type: string
"registry1.dso.mil"
Description: The registry hostname used for the image mutation.
config.excludeGroups💣
Type: list
["system:nodes"]
Default value (formatted)
[
"system:nodes"
]
Description: Exclude groups
config.excludeUsernames💣
Type: list
[]
Default value (formatted)
[]
Description: Exclude usernames
config.excludeRoles💣
Type: list
[]
Default value (formatted)
[]
Description: Exclude roles
config.excludeClusterRoles💣
Type: list
[]
Default value (formatted)
[]
Description: Exclude roles
config.generateSuccessEvents💣
Type: bool
false
Description: Generate success events.
config.webhooks💣
Type: list
[]
Default value (formatted)
[]
Description: Defines the namespaceSelector in the webhook configurations. Note that it takes a list of namespaceSelector and/or objectSelector in the JSON format, and only the first element will be forwarded to the webhook configurations. The Kyverno namespace is excluded if excludeKyvernoNamespace is true (default)
config.webhookAnnotations💣
Type: object
{}
Default value (formatted)
{}
Description: Defines annotations to set on webhook configurations.
config.excludeKyvernoNamespace💣
Type: bool
true
Description: Exclude Kyverno namespace Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters
config.resourceFiltersExcludeNamespaces💣
Type: list
[]
Default value (formatted)
[]
Description: resourceFilter namespace exclude Namespaces to exclude from the default resourceFilters
metricsConfig.create💣
Type: bool
true
Description: Create the configmap.
metricsConfig.name💣
Type: string
nil
Description: The configmap name (required if create is false).
metricsConfig.annotations💣
Type: object
{}
Default value (formatted)
{}
Description: Additional annotations to add to the configmap.
metricsConfig.namespaces.include💣
Type: list
[]
Default value (formatted)
[]
Description: List of namespaces to capture metrics for.
metricsConfig.namespaces.exclude💣
Type: list
[]
Default value (formatted)
[]
Description: list of namespaces to NOT capture metrics for.
metricsConfig.metricsRefreshInterval💣
Type: string
nil
Description: Rate at which metrics should reset so as to clean up the memory footprint of kyverno metrics, if you might be expecting high memory footprint of Kyverno’s metrics. Default: 0, no refresh of metrics
imagePullSecrets💣
Type: object
{}
Default value (formatted)
{}
Description: Image pull secrets for image verification policies, this will define the --imagePullSecrets argument
existingImagePullSecrets💣
Type: list
["private-registry"]
Default value (formatted)
[
"private-registry"
]
Description: Existing Image pull secrets for image verification policies, this will define the --imagePullSecrets argument
test.image.registry💣
Type: string
"registry1.dso.mil"
Description: (string) Image registry
test.image.repository💣
Type: string
"ironbank/redhat/ubi/ubi8-minimal"
Description: Image repository
test.image.tag💣
Type: string
"8.8"
Description: Image tag Defaults to latest if omitted
test.image.pullPolicy💣
Type: string
nil
Description: Image pull policy Defaults to image.pullPolicy if omitted
test.imagePullSecrets💣
Type: list
[{"name":"private-registry"}]
Default value (formatted)
[
{
"name": "private-registry"
}
]
Description: Image pull secrets
test.resources.limits💣
Type: object
{"cpu":"100m","memory":"256Mi"}
Default value (formatted)
{
"cpu": "100m",
"memory": "256Mi"
}
Description: Pod resource limits
test.resources.requests💣
Type: object
{"cpu":"10m","memory":"64Mi"}
Default value (formatted)
{
"cpu": "10m",
"memory": "64Mi"
}
Description: Pod resource requests
test.securityContext💣
Type: object
{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}
Default value (formatted)
{
"allowPrivilegeEscalation": false,
"capabilities": {
"drop": [
"ALL"
]
},
"privileged": false,
"readOnlyRootFilesystem": true,
"runAsGroup": 65534,
"runAsNonRoot": true,
"runAsUser": 65534,
"seccompProfile": {
"type": "RuntimeDefault"
}
}
Description: Security context for the test containers
customLabels💣
Type: object
{}
Default value (formatted)
{}
Description: Additional labels
webhooksCleanup.enabled💣
Type: bool
false
Description: Create a helm pre-delete hook to cleanup webhooks.
webhooksCleanup.image💣
Type: string
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.27.5"
Description: kubectl image to run commands for deleting webhooks.
webhooksCleanup.imagePullSecrets💣
Type: list
[{"name":"private-registry"}]
Default value (formatted)
[
{
"name": "private-registry"
}
]
Description: Image pull secrets
grafana.enabled💣
Type: bool
false
Description: Enable grafana dashboard creation.
grafana.configMapName💣
Type: string
"{{ include \"kyverno.fullname\" . }}-grafana"
Description: Configmap name template.
grafana.namespace💣
Type: string
nil
Description: Namespace to create the grafana dashboard configmap. If not set, it will be created in the same namespace where the chart is deployed.
grafana.annotations💣
Type: object
{}
Default value (formatted)
{}
Description: Grafana dashboard configmap annotations.
features.admissionReports.enabled💣
Type: bool
true
Description: Enables the feature
features.autoUpdateWebhooks.enabled💣
Type: bool
true
Description: Enables the feature
features.backgroundScan.enabled💣
Type: bool
true
Description: Enables the feature
features.backgroundScan.backgroundScanWorkers💣
Type: int
2
Description: Number of background scan workers
features.backgroundScan.backgroundScanInterval💣
Type: string
"1h"
Description: Background scan interval
features.backgroundScan.skipResourceFilters💣
Type: bool
true
Description: Skips resource filters in background scan
features.configMapCaching.enabled💣
Type: bool
true
Description: Enables the feature
features.dumpPayload.enabled💣
Type: bool
false
Description: Enables the feature
features.forceFailurePolicyIgnore.enabled💣
Type: bool
false
Description: Enables the feature
features.logging.format💣
Type: string
"text"
Description: Logging format
features.logging.verbosity💣
Type: int
2
Description: Logging verbosity
features.omitEvents.eventTypes💣
Type: list
[]
Default value (formatted)
[]
Description: Events which should not be emitted (possible values PolicyViolation, PolicyApplied, PolicyError, and PolicySkipped)
features.policyExceptions.enabled💣
Type: bool
false
Description: Enables the feature
features.policyExceptions.namespace💣
Type: string
""
Description: Restrict policy exceptions to a single namespace
features.protectManagedResources.enabled💣
Type: bool
false
Description: Enables the feature
features.registryClient.allowInsecure💣
Type: bool
false
Description: Allow insecure registry
features.registryClient.credentialHelpers💣
Type: list
["default","google","amazon","azure","github"]
Default value (formatted)
[
"default",
"google",
"amazon",
"azure",
"github"
]
Description: Enable registry client helpers
features.reports.chunkSize💣
Type: int
1000
Description: Reports chunk size
cleanupJobs.admissionReports.enabled💣
Type: bool
true
Description: Enable cleanup cronjob
cleanupJobs.admissionReports.image.registry💣
Type: string
"registry1.dso.mil"
Description: (string) Image registry
cleanupJobs.admissionReports.image.repository💣
Type: string
"ironbank/opensource/kubernetes/kubectl"
Description: Image repository
cleanupJobs.admissionReports.image.tag💣
Type: string
"1.27.5"
Description: Image tag Defaults to latest if omitted
cleanupJobs.admissionReports.image.pullPolicy💣
Type: string
nil
Description: Image pull policy Defaults to image.pullPolicy if omitted
cleanupJobs.admissionReports.imagePullSecrets💣
Type: list
[{"name":"private-registry"}]
Default value (formatted)
[
{
"name": "private-registry"
}
]
Description: Image pull secrets
cleanupJobs.admissionReports.schedule💣
Type: string
"*/10 * * * *"
Description: Cronjob schedule
cleanupJobs.admissionReports.threshold💣
Type: int
10000
Description: Reports threshold, if number of reports are above this value the cronjob will start deleting them
cleanupJobs.admissionReports.history💣
Type: object
{"failure":1,"success":1}
Default value (formatted)
{
"failure": 1,
"success": 1
}
Description: Cronjob history
cleanupJobs.admissionReports.podSecurityContext💣
Type: object
{"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000}
Default value (formatted)
{
"runAsGroup": 1000,
"runAsNonRoot": true,
"runAsUser": 1000
}
Description: Security context for the pod
cleanupJobs.admissionReports.securityContext💣
Type: object
{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}}
Default value (formatted)
{
"allowPrivilegeEscalation": false,
"capabilities": {
"drop": [
"ALL"
]
},
"privileged": false,
"readOnlyRootFilesystem": true,
"runAsGroup": 1000,
"runAsNonRoot": true,
"runAsUser": 1000,
"seccompProfile": {
"type": "RuntimeDefault"
}
}
Description: Security context for the containers
cleanupJobs.clusterAdmissionReports.enabled💣
Type: bool
true
Description: Enable cleanup cronjob
cleanupJobs.clusterAdmissionReports.image.registry💣
Type: string
"registry1.dso.mil"
Description: (string) Image registry
cleanupJobs.clusterAdmissionReports.image.repository💣
Type: string
"ironbank/opensource/kubernetes/kubectl"
Description: Image repository
cleanupJobs.clusterAdmissionReports.image.tag💣
Type: string
"1.27.5"
Description: Image tag Defaults to latest if omitted
cleanupJobs.clusterAdmissionReports.image.pullPolicy💣
Type: string
nil
Description: Image pull policy Defaults to image.pullPolicy if omitted
cleanupJobs.clusterAdmissionReports.imagePullSecrets💣
Type: list
[{"name":"private-registry"}]
Default value (formatted)
[
{
"name": "private-registry"
}
]
Description: Image pull secrets
cleanupJobs.clusterAdmissionReports.schedule💣
Type: string
"*/10 * * * *"
Description: Cronjob schedule
cleanupJobs.clusterAdmissionReports.threshold💣
Type: int
10000
Description: Reports threshold, if number of reports are above this value the cronjob will start deleting them
cleanupJobs.clusterAdmissionReports.history💣
Type: object
{"failure":1,"success":1}
Default value (formatted)
{
"failure": 1,
"success": 1
}
Description: Cronjob history
cleanupJobs.clusterAdmissionReports.podSecurityContext💣
Type: object
{"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000}
Default value (formatted)
{
"runAsGroup": 1000,
"runAsNonRoot": true,
"runAsUser": 1000
}
Description: Security context for the pod
cleanupJobs.clusterAdmissionReports.securityContext💣
Type: object
{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}}
Default value (formatted)
{
"allowPrivilegeEscalation": false,
"capabilities": {
"drop": [
"ALL"
]
},
"privileged": false,
"readOnlyRootFilesystem": true,
"runAsGroup": 1000,
"runAsNonRoot": true,
"runAsUser": 1000,
"seccompProfile": {
"type": "RuntimeDefault"
}
}
Description: Security context for the containers
admissionController.featuresOverride💣
Type: object
{}
Default value (formatted)
{}
Description: Overrides features defined at the root level
admissionController.rbac.create💣
Type: bool
true
Description: Create RBAC resources
admissionController.rbac.serviceAccount.name💣
Type: string
nil
Description: The ServiceAccount name
admissionController.rbac.serviceAccount.annotations💣
Type: object
{}
Default value (formatted)
{}
Description: Annotations for the ServiceAccount
admissionController.rbac.clusterRole.extraResources💣
Type: list
[]
Default value (formatted)
[]
Description: Extra resource permissions to add in the cluster role
admissionController.createSelfSignedCert💣
Type: bool
false
Description: Create self-signed certificates at deployment time. The certificates won’t be automatically renewed if this is set to true.
admissionController.replicas💣
Type: int
3
Description: (int) Desired number of pods
admissionController.podLabels💣
Type: object
{}
Default value (formatted)
{}
Description: Additional labels to add to each pod
admissionController.podAnnotations💣
Type: object
{}
Default value (formatted)
{}
Description: Additional annotations to add to each pod
admissionController.priorityClassName💣
Type: string
""
Description: Optional priority class
admissionController.hostNetwork💣
Type: bool
false
Description: Change hostNetwork to true when you want the pod to share its host’s network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the dnsPolicy accordingly as well to suit the host network mode.
admissionController.dnsPolicy💣
Type: string
"ClusterFirst"
Description: dnsPolicy determines the manner in which DNS resolution happens in the cluster. In case of hostNetwork: true, usually, the dnsPolicy is suitable to be ClusterFirstWithHostNet. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
admissionController.nodeSelector💣
Type: object
{}
Default value (formatted)
{}
Description: Node labels for pod assignment
admissionController.tolerations💣
Type: list
[]
Default value (formatted)
[]
Description: List of node taints to tolerate
admissionController.antiAffinity.enabled💣
Type: bool
true
Description: Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node.
admissionController.podAffinity💣
Type: object
{}
Default value (formatted)
{}
Description: Pod affinity constraints.
admissionController.nodeAffinity💣
Type: object
{}
Default value (formatted)
{}
Description: Node affinity constraints.
admissionController.topologySpreadConstraints💣
Type: list
[]
Default value (formatted)
[]
Description: Topology spread constraints.
admissionController.podSecurityContext💣
Type: object
{"runAsGroup":10001,"runAsNonRoot":true,"runAsUser":10001}
Default value (formatted)
{
"runAsGroup": 10001,
"runAsNonRoot": true,
"runAsUser": 10001
}
Description: Security context for the pod
admissionController.podDisruptionBudget.minAvailable💣
Type: int
1
Description: Configures the minimum available pods for disruptions. Cannot be used if maxUnavailable is set.
admissionController.podDisruptionBudget.maxUnavailable💣
Type: string
nil
Description: Configures the maximum unavailable pods for disruptions. Cannot be used if minAvailable is set.
admissionController.tufRootMountPath💣
Type: string
"/.sigstore"
Description: A writable volume to use for the TUF root initialization.
admissionController.sigstoreVolume💣
Type: object
{"emptyDir":{}}
Default value (formatted)
{
"emptyDir": {}
}
Description: Volume to be mounted in pods for TUF/cosign work.
admissionController.imagePullSecrets💣
Type: list
[{"name":"private-registry"}]
Default value (formatted)
[
{
"name": "private-registry"
}
]
Description: Image pull secrets
admissionController.initContainer.image.registry💣
Type: string
"registry1.dso.mil"
Description: Image registry
admissionController.initContainer.image.repository💣
Type: string
"ironbank/opensource/kyverno/kyvernopre"
Description: Image repository
admissionController.initContainer.image.tag💣
Type: string
"v1.10.3"
Description: (string) Image tag If missing, defaults to image.tag
admissionController.initContainer.image.pullPolicy💣
Type: string
nil
Description: Image pull policy If missing, defaults to image.pullPolicy
admissionController.initContainer.resources.limits💣
Type: object
{"cpu":"100m","memory":"256Mi"}
Default value (formatted)
{
"cpu": "100m",
"memory": "256Mi"
}
Description: Pod resource limits
admissionController.initContainer.resources.requests💣
Type: object
{"cpu":"10m","memory":"64Mi"}
Default value (formatted)
{
"cpu": "10m",
"memory": "64Mi"
}
Description: Pod resource requests
admissionController.initContainer.securityContext💣
Type: object
{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":10001,"runAsNonRoot":true,"runAsUser":10001,"seccompProfile":{"type":"RuntimeDefault"}}
Default value (formatted)
{
"allowPrivilegeEscalation": false,
"capabilities": {
"drop": [
"ALL"
]
},
"privileged": false,
"readOnlyRootFilesystem": true,
"runAsGroup": 10001,
"runAsNonRoot": true,
"runAsUser": 10001,
"seccompProfile": {
"type": "RuntimeDefault"
}
}
Description: Container security context
admissionController.initContainer.extraArgs💣
Type: object
{}
Default value (formatted)
{}
Description: Additional container args.
admissionController.initContainer.extraEnvVars💣
Type: list
[]
Default value (formatted)
[]
Description: Additional container environment variables.
admissionController.container.image.registry💣
Type: string
"registry1.dso.mil"
Description: Image registry
admissionController.container.image.repository💣
Type: string
"ironbank/opensource/kyverno"
Description: Image repository
admissionController.container.image.tag💣
Type: string
"v1.10.3"
Description: (string) Image tag Defaults to appVersion in Chart.yaml if omitted
admissionController.container.image.pullPolicy💣
Type: string
"IfNotPresent"
Description: Image pull policy
admissionController.container.imagePullSecrets💣
Type: list
[{"name":"private-registry"}]
Default value (formatted)
[
{
"name": "private-registry"
}
]
Description: Image pull secrets
admissionController.container.resources.limits💣
Type: object
{"cpu":"500m","memory":"512Mi"}
Default value (formatted)
{
"cpu": "500m",
"memory": "512Mi"
}
Description: Pod resource limits
admissionController.container.resources.requests💣
Type: object
{"cpu":"500m","memory":"512Mi"}
Default value (formatted)
{
"cpu": "500m",
"memory": "512Mi"
}
Description: Pod resource requests
admissionController.container.securityContext💣
Type: object
{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":10001,"runAsNonRoot":true,"runAsUser":10001,"seccompProfile":{"type":"RuntimeDefault"}}
Default value (formatted)
{
"allowPrivilegeEscalation": false,
"capabilities": {
"drop": [
"ALL"
]
},
"privileged": false,
"readOnlyRootFilesystem": true,
"runAsGroup": 10001,
"runAsNonRoot": true,
"runAsUser": 10001,
"seccompProfile": {
"type": "RuntimeDefault"
}
}
Description: Container security context
admissionController.container.extraArgs💣
Type: object
{}
Default value (formatted)
{}
Description: Additional container args.
admissionController.container.extraEnvVars💣
Type: list
[]
Default value (formatted)
[]
Description: Additional container environment variables.
admissionController.extraInitContainers💣
Type: list
[]
Default value (formatted)
[]
Description: Array of extra init containers
admissionController.extraContainers💣
Type: list
[]
Default value (formatted)
[]
Description: Array of extra containers to run alongside kyverno
admissionController.service.port💣
Type: int
443
Description: Service port.
admissionController.service.type💣
Type: string
"ClusterIP"
Description: Service type.
admissionController.service.nodePort💣
Type: string
nil
Description: Service node port. Only used if type is NodePort.
admissionController.service.annotations💣
Type: object
{}
Default value (formatted)
{}
Description: Service annotations.
admissionController.metricsService.create💣
Type: bool
true
Description: Create service.
admissionController.metricsService.port💣
Type: int
8000
Description: Service port. Kyverno’s metrics server will be exposed at this port.
admissionController.metricsService.type💣
Type: string
"ClusterIP"
Description: Service type.
admissionController.metricsService.nodePort💣
Type: string
nil
Description: Service node port. Only used if type is NodePort.
admissionController.metricsService.annotations💣
Type: object
{}
Default value (formatted)
{}
Description: Service annotations.
admissionController.networkPolicy.enabled💣
Type: bool
false
Description: When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
admissionController.networkPolicy.ingressFrom💣
Type: list
[]
Default value (formatted)
[]
Description: A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
admissionController.serviceMonitor.enabled💣
Type: bool
false
Description: Create a ServiceMonitor to collect Prometheus metrics.
admissionController.serviceMonitor.additionalLabels💣
Type: object
{}
Default value (formatted)
{}
Description: Additional labels
admissionController.serviceMonitor.namespace💣
Type: string
nil
Description: Override namespace
admissionController.serviceMonitor.interval💣
Type: string
"30s"
Description: Interval to scrape metrics
admissionController.serviceMonitor.scrapeTimeout💣
Type: string
"25s"
Description: Timeout if metrics can’t be retrieved in given time interval
admissionController.serviceMonitor.secure💣
Type: bool
false
Description: Is TLS required for endpoint
admissionController.serviceMonitor.tlsConfig💣
Type: object
{}
Default value (formatted)
{}
Description: TLS Configuration for endpoint
admissionController.tracing.enabled💣
Type: bool
false
Description: Enable tracing
admissionController.tracing.address💣
Type: string
nil
Description: Traces receiver address
admissionController.tracing.port💣
Type: string
nil
Description: Traces receiver port
admissionController.tracing.creds💣
Type: string
""
Description: Traces receiver credentials
admissionController.metering.disabled💣
Type: bool
false
Description: Disable metrics export
admissionController.metering.config💣
Type: string
"prometheus"
Description: Otel configuration, can be prometheus or grpc
admissionController.metering.port💣
Type: int
8000
Description: Prometheus endpoint port
admissionController.metering.collector💣
Type: string
""
Description: Otel collector endpoint
admissionController.metering.creds💣
Type: string
""
Description: Otel collector credentials
backgroundController.featuresOverride💣
Type: object
{}
Default value (formatted)
{}
Description: Overrides features defined at the root level
backgroundController.enabled💣
Type: bool
true
Description: Enable background controller.
backgroundController.rbac.create💣
Type: bool
true
Description: Create RBAC resources
backgroundController.rbac.serviceAccount.name💣
Type: string
nil
Description: Service account name
backgroundController.rbac.serviceAccount.annotations💣
Type: object
{}
Default value (formatted)
{}
Description: Annotations for the ServiceAccount
backgroundController.rbac.clusterRole.extraResources💣
Type: list
[]
Default value (formatted)
[]
Description: Extra resource permissions to add in the cluster role
backgroundController.image.registry💣
Type: string
"registry1.dso.mil"
Description: Image registry
backgroundController.image.repository💣
Type: string
"ironbank/opensource/kyverno/kyverno/background-controller"
Description: Image repository
backgroundController.image.tag💣
Type: string
"1.10.3"
Description: Image tag Defaults to appVersion in Chart.yaml if omitted
backgroundController.image.pullPolicy💣
Type: string
"IfNotPresent"
Description: Image pull policy
backgroundController.imagePullSecrets💣
Type: list
[{"name":"private-registry"}]
Default value (formatted)
[
{
"name": "private-registry"
}
]
Description: Image pull secrets
backgroundController.replicas💣
Type: int
nil
Description: Desired number of pods
backgroundController.podLabels💣
Type: object
{}
Default value (formatted)
{}
Description: Additional labels to add to each pod
backgroundController.podAnnotations💣
Type: object
{}
Default value (formatted)
{}
Description: Additional annotations to add to each pod
backgroundController.priorityClassName💣
Type: string
""
Description: Optional priority class
backgroundController.hostNetwork💣
Type: bool
false
Description: Change hostNetwork to true when you want the pod to share its host’s network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the dnsPolicy accordingly as well to suit the host network mode.
backgroundController.dnsPolicy💣
Type: string
"ClusterFirst"
Description: dnsPolicy determines the manner in which DNS resolution happens in the cluster. In case of hostNetwork: true, usually, the dnsPolicy is suitable to be ClusterFirstWithHostNet. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
backgroundController.extraArgs💣
Type: object
{}
Default value (formatted)
{}
Description: Extra arguments passed to the container on the command line
backgroundController.resources.limits💣
Type: object
{"memory":"128Mi"}
Default value (formatted)
{
"memory": "128Mi"
}
Description: Pod resource limits
backgroundController.resources.requests💣
Type: object
{"cpu":"100m","memory":"64Mi"}
Default value (formatted)
{
"cpu": "100m",
"memory": "64Mi"
}
Description: Pod resource requests
backgroundController.nodeSelector💣
Type: object
{}
Default value (formatted)
{}
Description: Node labels for pod assignment
backgroundController.tolerations💣
Type: list
[]
Default value (formatted)
[]
Description: List of node taints to tolerate
backgroundController.antiAffinity.enabled💣
Type: bool
true
Description: Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node.
backgroundController.podAffinity💣
Type: object
{}
Default value (formatted)
{}
Description: Pod affinity constraints.
backgroundController.nodeAffinity💣
Type: object
{}
Default value (formatted)
{}
Description: Node affinity constraints.
backgroundController.topologySpreadConstraints💣
Type: list
[]
Default value (formatted)
[]
Description: Topology spread constraints.
backgroundController.podSecurityContext💣
Type: object
{"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000}
Default value (formatted)
{
"runAsGroup": 1000,
"runAsNonRoot": true,
"runAsUser": 1000
}
Description: Security context for the pod
backgroundController.securityContext💣
Type: object
{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":1000,"runAsgroup":1000,"seccompProfile":{"type":"RuntimeDefault"}}
Default value (formatted)
{
"allowPrivilegeEscalation": false,
"capabilities": {
"drop": [
"ALL"
]
},
"privileged": false,
"readOnlyRootFilesystem": true,
"runAsNonRoot": true,
"runAsUser": 1000,
"runAsgroup": 1000,
"seccompProfile": {
"type": "RuntimeDefault"
}
}
Description: Security context for the containers
backgroundController.podDisruptionBudget.minAvailable💣
Type: int
1
Description: Configures the minimum available pods for disruptions. Cannot be used if maxUnavailable is set.
backgroundController.podDisruptionBudget.maxUnavailable💣
Type: string
nil
Description: Configures the maximum unavailable pods for disruptions. Cannot be used if minAvailable is set.
backgroundController.metricsService.create💣
Type: bool
true
Description: Create service.
backgroundController.metricsService.port💣
Type: int
8000
Description: Service port. Metrics server will be exposed at this port.
backgroundController.metricsService.type💣
Type: string
"ClusterIP"
Description: Service type.
backgroundController.metricsService.nodePort💣
Type: string
nil
Description: Service node port. Only used if metricsService.type is NodePort.
backgroundController.metricsService.annotations💣
Type: object
{}
Default value (formatted)
{}
Description: Service annotations.
backgroundController.networkPolicy.enabled💣
Type: bool
false
Description: When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
backgroundController.networkPolicy.ingressFrom💣
Type: list
[]
Default value (formatted)
[]
Description: A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
backgroundController.serviceMonitor.enabled💣
Type: bool
false
Description: Create a ServiceMonitor to collect Prometheus metrics.
backgroundController.serviceMonitor.additionalLabels💣
Type: object
{}
Default value (formatted)
{}
Description: Additional labels
backgroundController.serviceMonitor.namespace💣
Type: string
nil
Description: Override namespace
backgroundController.serviceMonitor.interval💣
Type: string
"30s"
Description: Interval to scrape metrics
backgroundController.serviceMonitor.scrapeTimeout💣
Type: string
"25s"
Description: Timeout if metrics can’t be retrieved in given time interval
backgroundController.serviceMonitor.secure💣
Type: bool
false
Description: Is TLS required for endpoint
backgroundController.serviceMonitor.tlsConfig💣
Type: object
{}
Default value (formatted)
{}
Description: TLS Configuration for endpoint
backgroundController.tracing.enabled💣
Type: bool
false
Description: Enable tracing
backgroundController.tracing.address💣
Type: string
nil
Description: Traces receiver address
backgroundController.tracing.port💣
Type: string
nil
Description: Traces receiver port
backgroundController.tracing.creds💣
Type: string
""
Description: Traces receiver credentials
backgroundController.metering.disabled💣
Type: bool
false
Description: Disable metrics export
backgroundController.metering.config💣
Type: string
"prometheus"
Description: Otel configuration, can be prometheus or grpc
backgroundController.metering.port💣
Type: int
8000
Description: Prometheus endpoint port
backgroundController.metering.collector💣
Type: string
""
Description: Otel collector endpoint
backgroundController.metering.creds💣
Type: string
""
Description: Otel collector credentials
cleanupController.featuresOverride💣
Type: object
{}
Default value (formatted)
{}
Description: Overrides features defined at the root level
cleanupController.enabled💣
Type: bool
true
Description: Enable cleanup controller.
cleanupController.rbac.create💣
Type: bool
true
Description: Create RBAC resources
cleanupController.rbac.serviceAccount.name💣
Type: string
nil
Description: Service account name
cleanupController.rbac.serviceAccount.annotations💣
Type: object
{}
Default value (formatted)
{}
Description: Annotations for the ServiceAccount
cleanupController.rbac.clusterRole.extraResources💣
Type: list
[]
Default value (formatted)
[]
Description: Extra resource permissions to add in the cluster role
cleanupController.createSelfSignedCert💣
Type: bool
false
Description: Create self-signed certificates at deployment time. The certificates won’t be automatically renewed if this is set to true.
cleanupController.image.registry💣
Type: string
"registry1.dso.mil"
Description: Image registry
cleanupController.image.repository💣
Type: string
"ironbank/opensource/kyverno/kyverno/cleanup-controller"
Description: Image repository
cleanupController.image.tag💣
Type: string
"v1.10.3"
Description: (string) Image tag Defaults to appVersion in Chart.yaml if omitted
cleanupController.image.pullPolicy💣
Type: string
"IfNotPresent"
Description: Image pull policy
cleanupController.imagePullSecrets💣
Type: list
[{"name":"private-registry"}]
Default value (formatted)
[
{
"name": "private-registry"
}
]
Description: Image pull secrets
cleanupController.replicas💣
Type: int
nil
Description: Desired number of pods
cleanupController.podLabels💣
Type: object
{}
Default value (formatted)
{}
Description: Additional labels to add to each pod
cleanupController.podAnnotations💣
Type: object
{}
Default value (formatted)
{}
Description: Additional annotations to add to each pod
cleanupController.priorityClassName💣
Type: string
""
Description: Optional priority class
cleanupController.hostNetwork💣
Type: bool
false
Description: Change hostNetwork to true when you want the pod to share its host’s network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the dnsPolicy accordingly as well to suit the host network mode.
cleanupController.dnsPolicy💣
Type: string
"ClusterFirst"
Description: dnsPolicy determines the manner in which DNS resolution happens in the cluster. In case of hostNetwork: true, usually, the dnsPolicy is suitable to be ClusterFirstWithHostNet. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
cleanupController.extraArgs💣
Type: object
{}
Default value (formatted)
{}
Description: Extra arguments passed to the container on the command line
cleanupController.resources.limits💣
Type: object
{"memory":"128Mi"}
Default value (formatted)
{
"memory": "128Mi"
}
Description: Pod resource limits
cleanupController.resources.requests💣
Type: object
{"cpu":"100m","memory":"64Mi"}
Default value (formatted)
{
"cpu": "100m",
"memory": "64Mi"
}
Description: Pod resource requests
cleanupController.nodeSelector💣
Type: object
{}
Default value (formatted)
{}
Description: Node labels for pod assignment
cleanupController.tolerations💣
Type: list
[]
Default value (formatted)
[]
Description: List of node taints to tolerate
cleanupController.antiAffinity.enabled💣
Type: bool
true
Description: Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node.
cleanupController.podAffinity💣
Type: object
{}
Default value (formatted)
{}
Description: Pod affinity constraints.
cleanupController.nodeAffinity💣
Type: object
{}
Default value (formatted)
{}
Description: Node affinity constraints.
cleanupController.topologySpreadConstraints💣
Type: list
[]
Default value (formatted)
[]
Description: Topology spread constraints.
cleanupController.podSecurityContext💣
Type: object
{"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000}
Default value (formatted)
{
"runAsGroup": 1000,
"runAsNonRoot": true,
"runAsUser": 1000
}
Description: Security context for the pod
cleanupController.securityContext💣
Type: object
{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}}
Default value (formatted)
{
"allowPrivilegeEscalation": false,
"capabilities": {
"drop": [
"ALL"
]
},
"privileged": false,
"readOnlyRootFilesystem": true,
"runAsGroup": 1000,
"runAsNonRoot": true,
"runAsUser": 1000,
"seccompProfile": {
"type": "RuntimeDefault"
}
}
Description: Security context for the containers
cleanupController.podDisruptionBudget.minAvailable💣
Type: int
1
Description: Configures the minimum available pods for disruptions. Cannot be used if maxUnavailable is set.
cleanupController.podDisruptionBudget.maxUnavailable💣
Type: string
nil
Description: Configures the maximum unavailable pods for disruptions. Cannot be used if minAvailable is set.
cleanupController.service.port💣
Type: int
443
Description: Service port.
cleanupController.service.type💣
Type: string
"ClusterIP"
Description: Service type.
cleanupController.service.nodePort💣
Type: string
nil
Description: Service node port. Only used if service.type is NodePort.
cleanupController.service.annotations💣
Type: object
{}
Default value (formatted)
{}
Description: Service annotations.
cleanupController.metricsService.create💣
Type: bool
true
Description: Create service.
cleanupController.metricsService.port💣
Type: int
8000
Description: Service port. Metrics server will be exposed at this port.
cleanupController.metricsService.type💣
Type: string
"ClusterIP"
Description: Service type.
cleanupController.metricsService.nodePort💣
Type: string
nil
Description: Service node port. Only used if metricsService.type is NodePort.
cleanupController.metricsService.annotations💣
Type: object
{}
Default value (formatted)
{}
Description: Service annotations.
cleanupController.networkPolicy.enabled💣
Type: bool
false
Description: When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
cleanupController.networkPolicy.ingressFrom💣
Type: list
[]
Default value (formatted)
[]
Description: A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
cleanupController.serviceMonitor.enabled💣
Type: bool
false
Description: Create a ServiceMonitor to collect Prometheus metrics.
cleanupController.serviceMonitor.additionalLabels💣
Type: object
{}
Default value (formatted)
{}
Description: Additional labels
cleanupController.serviceMonitor.namespace💣
Type: string
nil
Description: Override namespace
cleanupController.serviceMonitor.interval💣
Type: string
"30s"
Description: Interval to scrape metrics
cleanupController.serviceMonitor.scrapeTimeout💣
Type: string
"25s"
Description: Timeout if metrics can’t be retrieved in given time interval
cleanupController.serviceMonitor.secure💣
Type: bool
false
Description: Is TLS required for endpoint
cleanupController.serviceMonitor.tlsConfig💣
Type: object
{}
Default value (formatted)
{}
Description: TLS Configuration for endpoint
cleanupController.tracing.enabled💣
Type: bool
false
Description: Enable tracing
cleanupController.tracing.address💣
Type: string
nil
Description: Traces receiver address
cleanupController.tracing.port💣
Type: string
nil
Description: Traces receiver port
cleanupController.tracing.creds💣
Type: string
""
Description: Traces receiver credentials
cleanupController.metering.disabled💣
Type: bool
false
Description: Disable metrics export
cleanupController.metering.config💣
Type: string
"prometheus"
Description: Otel configuration, can be prometheus or grpc
cleanupController.metering.port💣
Type: int
8000
Description: Prometheus endpoint port
cleanupController.metering.collector💣
Type: string
""
Description: Otel collector endpoint
cleanupController.metering.creds💣
Type: string
""
Description: Otel collector credentials
reportsController.featuresOverride💣
Type: object
{}
Default value (formatted)
{}
Description: Overrides features defined at the root level
reportsController.enabled💣
Type: bool
true
Description: Enable reports controller.
reportsController.rbac.create💣
Type: bool
true
Description: Create RBAC resources
reportsController.rbac.serviceAccount.name💣
Type: string
nil
Description: Service account name
reportsController.rbac.serviceAccount.annotations💣
Type: object
{}
Default value (formatted)
{}
Description: Annotations for the ServiceAccount
reportsController.rbac.clusterRole.extraResources💣
Type: list
[]
Default value (formatted)
[]
Description: Extra resource permissions to add in the cluster role
reportsController.image.registry💣
Type: string
"registry1.dso.mil"
Description: Image registry
reportsController.image.repository💣
Type: string
"ironbank/opensource/kyverno/kyverno/reports-controller"
Description: Image repository
reportsController.image.tag💣
Type: string
"1.10.3"
Description: (string) Image tag Defaults to appVersion in Chart.yaml if omitted
reportsController.image.pullPolicy💣
Type: string
"IfNotPresent"
Description: Image pull policy
reportsController.imagePullSecrets💣
Type: list
[{"name":"private-registry"}]
Default value (formatted)
[
{
"name": "private-registry"
}
]
Description: Image pull secrets
reportsController.replicas💣
Type: int
nil
Description: Desired number of pods
reportsController.podLabels💣
Type: object
{}
Default value (formatted)
{}
Description: Additional labels to add to each pod
reportsController.podAnnotations💣
Type: object
{}
Default value (formatted)
{}
Description: Additional annotations to add to each pod
reportsController.priorityClassName💣
Type: string
""
Description: Optional priority class
reportsController.hostNetwork💣
Type: bool
false
Description: Change hostNetwork to true when you want the pod to share its host’s network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the dnsPolicy accordingly as well to suit the host network mode.
reportsController.dnsPolicy💣
Type: string
"ClusterFirst"
Description: dnsPolicy determines the manner in which DNS resolution happens in the cluster. In case of hostNetwork: true, usually, the dnsPolicy is suitable to be ClusterFirstWithHostNet. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
reportsController.extraArgs💣
Type: object
{}
Default value (formatted)
{}
Description: Extra arguments passed to the container on the command line
reportsController.resources.limits💣
Type: object
{"memory":"128Mi"}
Default value (formatted)
{
"memory": "128Mi"
}
Description: Pod resource limits
reportsController.resources.requests💣
Type: object
{"cpu":"100m","memory":"64Mi"}
Default value (formatted)
{
"cpu": "100m",
"memory": "64Mi"
}
Description: Pod resource requests
reportsController.nodeSelector💣
Type: object
{}
Default value (formatted)
{}
Description: Node labels for pod assignment
reportsController.tolerations💣
Type: list
[]
Default value (formatted)
[]
Description: List of node taints to tolerate
reportsController.antiAffinity.enabled💣
Type: bool
true
Description: Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node.
reportsController.podAffinity💣
Type: object
{}
Default value (formatted)
{}
Description: Pod affinity constraints.
reportsController.nodeAffinity💣
Type: object
{}
Default value (formatted)
{}
Description: Node affinity constraints.
reportsController.topologySpreadConstraints💣
Type: list
[]
Default value (formatted)
[]
Description: Topology spread constraints.
reportsController.podSecurityContext💣
Type: object
{"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000}
Default value (formatted)
{
"runAsGroup": 1000,
"runAsNonRoot": true,
"runAsUser": 1000
}
Description: Security context for the pod
reportsController.securityContext💣
Type: object
{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}}
Default value (formatted)
{
"allowPrivilegeEscalation": false,
"capabilities": {
"drop": [
"ALL"
]
},
"privileged": false,
"readOnlyRootFilesystem": true,
"runAsGroup": 1000,
"runAsNonRoot": true,
"runAsUser": 1000,
"seccompProfile": {
"type": "RuntimeDefault"
}
}
Description: Security context for the containers
reportsController.podDisruptionBudget.minAvailable💣
Type: int
1
Description: Configures the minimum available pods for disruptions. Cannot be used if maxUnavailable is set.
reportsController.podDisruptionBudget.maxUnavailable💣
Type: string
nil
Description: Configures the maximum unavailable pods for disruptions. Cannot be used if minAvailable is set.
reportsController.tufRootMountPath💣
Type: string
"/.sigstore"
Description: A writable volume to use for the TUF root initialization.
reportsController.sigstoreVolume💣
Type: object
{"emptyDir":{}}
Default value (formatted)
{
"emptyDir": {}
}
Description: Volume to be mounted in pods for TUF/cosign work.
reportsController.metricsService.create💣
Type: bool
true
Description: Create service.
reportsController.metricsService.port💣
Type: int
8000
Description: Service port. Metrics server will be exposed at this port.
reportsController.metricsService.type💣
Type: string
"ClusterIP"
Description: Service type.
reportsController.metricsService.nodePort💣
Type: string
nil
Description: Service node port. Only used if type is NodePort.
reportsController.metricsService.annotations💣
Type: object
{}
Default value (formatted)
{}
Description: Service annotations.
reportsController.networkPolicy.enabled💣
Type: bool
false
Description: When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
reportsController.networkPolicy.ingressFrom💣
Type: list
[]
Default value (formatted)
[]
Description: A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
reportsController.serviceMonitor.enabled💣
Type: bool
false
Description: Create a ServiceMonitor to collect Prometheus metrics.
reportsController.serviceMonitor.additionalLabels💣
Type: object
{}
Default value (formatted)
{}
Description: Additional labels
reportsController.serviceMonitor.namespace💣
Type: string
nil
Description: Override namespace
reportsController.serviceMonitor.interval💣
Type: string
"30s"
Description: Interval to scrape metrics
reportsController.serviceMonitor.scrapeTimeout💣
Type: string
"25s"
Description: Timeout if metrics can’t be retrieved in given time interval
reportsController.serviceMonitor.secure💣
Type: bool
false
Description: Is TLS required for endpoint
reportsController.serviceMonitor.tlsConfig💣
Type: object
{}
Default value (formatted)
{}
Description: TLS Configuration for endpoint
reportsController.tracing.enabled💣
Type: bool
false
Description: Enable tracing
reportsController.tracing.address💣
Type: string
nil
Description: Traces receiver address
reportsController.tracing.port💣
Type: string
nil
Description: Traces receiver port
reportsController.tracing.creds💣
Type: string
nil
Description: Traces receiver credentials
reportsController.metering.disabled💣
Type: bool
false
Description: Disable metrics export
reportsController.metering.config💣
Type: string
"prometheus"
Description: Otel configuration, can be prometheus or grpc
reportsController.metering.port💣
Type: int
8000
Description: Prometheus endpoint port
reportsController.metering.collector💣
Type: string
nil
Description: Otel collector endpoint
reportsController.metering.creds💣
Type: string
nil
Description: Otel collector credentials
networkPolicies.enabled💣
Type: bool
false
networkPolicies.controlPlaneCidr💣
Type: string
"0.0.0.0/0"
istio.enabled💣
Type: bool
false
openshift💣
Type: bool
false
bbtests.enabled💣
Type: bool
false
bbtests.scripts.image💣
Type: string
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:1.27.4"
bbtests.scripts.additionalVolumeMounts[0].name💣
Type: string
"kyverno-bbtest-manifest"
bbtests.scripts.additionalVolumeMounts[0].mountPath💣
Type: string
"/yaml"
bbtests.scripts.additionalVolumes[0].name💣
Type: string
"kyverno-bbtest-manifest"
bbtests.scripts.additionalVolumes[0].configMap.name💣
Type: string
"kyverno-bbtest-manifest"