Skip to content

kyverno values.yaml📜

templating📜

Type: object

Default value
{"debug":false,"enabled":false,"version":null}
Default value (formatted)
{
  "debug": false,
  "enabled": false,
  "version": null
}

Description: Internal settings used with helm template to generate install manifest @ignored

global.image.registry📜

Type: string

Default value
nil

Description: Global value that allows to set a single image registry across all deployments. When set, it will override any values set under .image.registry across the chart.

nameOverride📜

Type: string

Default value
nil

Description: Override the name of the chart

fullnameOverride📜

Type: string

Default value
nil

Description: Override the expanded name of the chart

namespaceOverride📜

Type: string

Default value
nil

Description: Override the namespace the chart deploys to

upgrade.fromV2📜

Type: bool

Default value
true

Description: Upgrading from v2 to v3 is not allowed by default, set this to true once changes have been reviewed.

apiVersionOverride.podDisruptionBudget📜

Type: string

Default value
"policy/v1"

Description: Override api version used to create PodDisruptionBudget`` resources. When not specified the chart will check ifpolicy/v1/PodDisruptionBudget` is available to determine the api version automatically.

crds.install📜

Type: bool

Default value
true

Description: Whether to have Helm install the Kyverno CRDs, if the CRDs are not installed by Helm, they must be added before policies can be created

crds.annotations📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Additional CRDs annotations

crds.customLabels📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Additional CRDs labels

config.create📜

Type: bool

Default value
true

Description: Create the configmap.

config.name📜

Type: string

Default value
nil

Description: The configmap name (required if create is false).

config.annotations📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Additional annotations to add to the configmap.

config.enableDefaultRegistryMutation📜

Type: bool

Default value
true

Description: Enable registry mutation for container images. Enabled by default.

config.defaultRegistry📜

Type: string

Default value
"registry1.dso.mil"

Description: The registry hostname used for the image mutation.

config.excludeGroups📜

Type: list

Default value
["system:nodes"]
Default value (formatted)
[
  "system:nodes"
]

Description: Exclude groups

config.excludeUsernames📜

Type: list

Default value
[]
Default value (formatted)
[]

Description: Exclude usernames

config.excludeRoles📜

Type: list

Default value
[]
Default value (formatted)
[]

Description: Exclude roles

config.excludeClusterRoles📜

Type: list

Default value
[]
Default value (formatted)
[]

Description: Exclude roles

config.generateSuccessEvents📜

Type: bool

Default value
false

Description: Generate success events.

config.webhooks📜

Type: list

Default value
[]
Default value (formatted)
[]

Description: Defines the namespaceSelector in the webhook configurations. Note that it takes a list of namespaceSelector and/or objectSelector in the JSON format, and only the first element will be forwarded to the webhook configurations. The Kyverno namespace is excluded if excludeKyvernoNamespace is true (default)

config.webhookAnnotations📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Defines annotations to set on webhook configurations.

config.matchConditions📜

Type: list

Default value
[]
Default value (formatted)
[]

Description: Defines match conditions to set on webhook configurations (requires Kubernetes 1.27+).

config.excludeKyvernoNamespace📜

Type: bool

Default value
true

Description: Exclude Kyverno namespace Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters

config.resourceFiltersExcludeNamespaces📜

Type: list

Default value
[]
Default value (formatted)
[]

Description: resourceFilter namespace exclude Namespaces to exclude from the default resourceFilters

metricsConfig.create📜

Type: bool

Default value
true

Description: Create the configmap.

metricsConfig.name📜

Type: string

Default value
nil

Description: The configmap name (required if create is false).

metricsConfig.annotations📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Additional annotations to add to the configmap.

metricsConfig.namespaces.include📜

Type: list

Default value
[]
Default value (formatted)
[]

Description: List of namespaces to capture metrics for.

metricsConfig.namespaces.exclude📜

Type: list

Default value
[]
Default value (formatted)
[]

Description: list of namespaces to NOT capture metrics for.

metricsConfig.metricsRefreshInterval📜

Type: string

Default value
nil

Description: Rate at which metrics should reset so as to clean up the memory footprint of kyverno metrics, if you might be expecting high memory footprint of Kyverno’s metrics. Default: 0, no refresh of metrics. WARNING: This flag is not working since Kyverno 1.8.0

metricsConfig.bucketBoundaries📜

Type: list

Default value
[0.005,0.01,0.025,0.05,0.1,0.25,0.5,1,2.5,5,10,15,20,25,30]
Default value (formatted)
[
  0.005,
  0.01,
  0.025,
  0.05,
  0.1,
  0.25,
  0.5,
  1,
  2.5,
  5,
  10,
  15,
  20,
  25,
  30
]

Description: Configures the bucket boundaries for all Histogram metrics, changing this configuration requires restart of the kyverno admission controller

metricsConfig.metricsExposure📜

Type: map

Default value
nil

Description: Configures the exposure of individual metrics, by default all metrics and all labels are exported, changing this configuration requires restart of the kyverno admission controller

imagePullSecrets📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Image pull secrets for image verification policies, this will define the --imagePullSecrets argument

existingImagePullSecrets📜

Type: list

Default value
["private-registry"]
Default value (formatted)
[
  "private-registry"
]

Description: Existing Image pull secrets for image verification policies, this will define the --imagePullSecrets argument

test.image.registry📜

Type: string

Default value
"registry1.dso.mil"

Description: Image registry

test.image.repository📜

Type: string

Default value
"ironbank/redhat/ubi/ubi9-minimal"

Description: Image repository

test.image.tag📜

Type: string

Default value
"9.3"

Description: Image tag Defaults to latest if omitted

test.image.pullPolicy📜

Type: string

Default value
nil

Description: Image pull policy Defaults to image.pullPolicy if omitted

test.imagePullSecrets📜

Type: list

Default value
[{"name":"private-registry"}]
Default value (formatted)
[
  {
    "name": "private-registry"
  }
]

Description: Image pull secrets

test.resources.limits📜

Type: object

Default value
{"cpu":"100m","memory":"256Mi"}
Default value (formatted)
{
  "cpu": "100m",
  "memory": "256Mi"
}

Description: Pod resource limits

test.resources.requests📜

Type: object

Default value
{"cpu":"10m","memory":"64Mi"}
Default value (formatted)
{
  "cpu": "10m",
  "memory": "64Mi"
}

Description: Pod resource requests

test.podSecurityContext📜

Type: object

Default value
{"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534}
Default value (formatted)
{
  "runAsGroup": 65534,
  "runAsNonRoot": true,
  "runAsUser": 65534
}

Description: Security context for the test pod

test.securityContext📜

Type: object

Default value
{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}
Default value (formatted)
{
  "allowPrivilegeEscalation": false,
  "capabilities": {
    "drop": [
      "ALL"
    ]
  },
  "privileged": false,
  "readOnlyRootFilesystem": true,
  "runAsGroup": 65534,
  "runAsNonRoot": true,
  "runAsUser": 65534,
  "seccompProfile": {
    "type": "RuntimeDefault"
  }
}

Description: Security context for the test containers

customLabels📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Additional labels

webhooksCleanup.enabled📜

Type: bool

Default value
true

Description: Create a helm pre-delete hook to cleanup webhooks.

webhooksCleanup.image.registry📜

Type: string

Default value
"registry1.dso.mil"

Description: Image registry

webhooksCleanup.image.repository📜

Type: string

Default value
"ironbank/opensource/kubernetes/kubectl"

Description: Image repository

webhooksCleanup.image.tag📜

Type: string

Default value
"v1.28.4"

Description: Image tag Defaults to latest if omitted

webhooksCleanup.image.pullPolicy📜

Type: string

Default value
nil

Description: Image pull policy Defaults to image.pullPolicy if omitted

webhooksCleanup.imagePullSecrets📜

Type: list

Default value
[{"name":"private-registry"}]
Default value (formatted)
[
  {
    "name": "private-registry"
  }
]

Description: Image pull secrets

webhooksCleanup.automountServiceAccountToken.enabled📜

Type: bool

Default value
true

webhooksCleanup.podSecurityContext📜

Type: object

Default value
{"runAsGroup":1001,"runAsNonRoot":true,"runAsUser":1001}
Default value (formatted)
{
  "runAsGroup": 1001,
  "runAsNonRoot": true,
  "runAsUser": 1001
}

Description: Security context for the pod

webhooksCleanup.nodeSelector📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Node labels for pod assignment

webhooksCleanup.tolerations📜

Type: list

Default value
[]
Default value (formatted)
[]

Description: List of node taints to tolerate

webhooksCleanup.podAntiAffinity📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Pod anti affinity constraints.

webhooksCleanup.podAffinity📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Pod affinity constraints.

webhooksCleanup.nodeAffinity📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Node affinity constraints.

webhooksCleanup.securityContext📜

Type: object

Default value
{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":1001,"runAsNonRoot":true,"runAsUser":1001,"seccompProfile":{"type":"RuntimeDefault"}}
Default value (formatted)
{
  "allowPrivilegeEscalation": false,
  "capabilities": {
    "drop": [
      "ALL"
    ]
  },
  "privileged": false,
  "readOnlyRootFilesystem": true,
  "runAsGroup": 1001,
  "runAsNonRoot": true,
  "runAsUser": 1001,
  "seccompProfile": {
    "type": "RuntimeDefault"
  }
}

Description: Security context for the hook containers

policyReportsCleanup.enabled📜

Type: bool

Default value
true

Description: Create a helm post-upgrade hook to cleanup the old policy reports.

policyReportsCleanup.image.registry📜

Type: string

Default value
"registry1.dso.mil"

Description: Image registry

policyReportsCleanup.image.repository📜

Type: string

Default value
"ironbank/opensource/kubernetes/kubectl"

Description: Image repository

policyReportsCleanup.image.tag📜

Type: string

Default value
"v1.28.4"

Description: Image tag Defaults to latest if omitted

policyReportsCleanup.image.pullPolicy📜

Type: string

Default value
nil

Description: Image pull policy Defaults to image.pullPolicy if omitted

policyReportsCleanup.imagePullSecrets📜

Type: list

Default value
[{"name":"private-registry"}]
Default value (formatted)
[
  {
    "name": "private-registry"
  }
]

Description: Image pull secrets

policyReportsCleanup.podSecurityContext📜

Type: object

Default value
{"runAsGroup":1001,"runAsNonRoot":true,"runAsUser":1001}
Default value (formatted)
{
  "runAsGroup": 1001,
  "runAsNonRoot": true,
  "runAsUser": 1001
}

Description: Security context for the pod

policyReportsCleanup.securityContext📜

Type: object

Default value
{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":1001,"runAsNonRoot":true,"runAsUser":1001,"seccompProfile":{"type":"RuntimeDefault"}}
Default value (formatted)
{
  "allowPrivilegeEscalation": false,
  "capabilities": {
    "drop": [
      "ALL"
    ]
  },
  "privileged": false,
  "readOnlyRootFilesystem": true,
  "runAsGroup": 1001,
  "runAsNonRoot": true,
  "runAsUser": 1001,
  "seccompProfile": {
    "type": "RuntimeDefault"
  }
}

Description: Security context for the hook containers

grafana.enabled📜

Type: bool

Default value
false

Description: Enable grafana dashboard creation.

grafana.configMapName📜

Type: string

Default value
"{{ include \"kyverno.fullname\" . }}-grafana"

Description: Configmap name template.

grafana.namespace📜

Type: string

Default value
nil

Description: Namespace to create the grafana dashboard configmap. If not set, it will be created in the same namespace where the chart is deployed.

grafana.annotations📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Grafana dashboard configmap annotations.

grafana.labels📜

Type: object

Default value
{"grafana_dashboard":"1"}
Default value (formatted)
{
  "grafana_dashboard": "1"
}

Description: Grafana dashboard configmap labels

grafana.grafanaDashboard📜

Type: object

Default value
{"create":false,"matchLabels":{"dashboards":"grafana"}}
Default value (formatted)
{
  "create": false,
  "matchLabels": {
    "dashboards": "grafana"
  }
}

Description: create GrafanaDashboard custom resource referencing to the configMap. according to https://grafana-operator.github.io/grafana-operator/docs/examples/dashboard_from_configmap/readme/

features.admissionReports.enabled📜

Type: bool

Default value
true

Description: Enables the feature

features.aggregateReports.enabled📜

Type: bool

Default value
true

Description: Enables the feature

features.policyReports.enabled📜

Type: bool

Default value
true

Description: Enables the feature

features.validatingAdmissionPolicyReports.enabled📜

Type: bool

Default value
false

Description: Enables the feature

features.autoUpdateWebhooks.enabled📜

Type: bool

Default value
true

Description: Enables the feature

features.backgroundScan.enabled📜

Type: bool

Default value
true

Description: Enables the feature

features.backgroundScan.backgroundScanWorkers📜

Type: int

Default value
2

Description: Number of background scan workers

features.backgroundScan.backgroundScanInterval📜

Type: string

Default value
"1h"

Description: Background scan interval

features.backgroundScan.skipResourceFilters📜

Type: bool

Default value
true

Description: Skips resource filters in background scan

features.configMapCaching.enabled📜

Type: bool

Default value
true

Description: Enables the feature

features.deferredLoading.enabled📜

Type: bool

Default value
true

Description: Enables the feature

features.dumpPayload.enabled📜

Type: bool

Default value
false

Description: Enables the feature

features.forceFailurePolicyIgnore.enabled📜

Type: bool

Default value
false

Description: Enables the feature

features.generateValidatingAdmissionPolicy.enabled📜

Type: bool

Default value
false

Description: Enables the feature

features.logging.format📜

Type: string

Default value
"text"

Description: Logging format

features.logging.verbosity📜

Type: int

Default value
2

Description: Logging verbosity

features.omitEvents.eventTypes📜

Type: list

Default value
[]
Default value (formatted)
[]

Description: Events which should not be emitted (possible values PolicyViolation, PolicyApplied, PolicyError, and PolicySkipped)

features.policyExceptions.enabled📜

Type: bool

Default value
true

Description: Enables the feature

features.policyExceptions.namespace📜

Type: string

Default value
"kyverno"

Description: Restrict policy exceptions to a single namespace

features.protectManagedResources.enabled📜

Type: bool

Default value
false

Description: Enables the feature

features.registryClient.allowInsecure📜

Type: bool

Default value
false

Description: Allow insecure registry

features.registryClient.credentialHelpers📜

Type: list

Default value
["default","google","amazon","azure","github"]
Default value (formatted)
[
  "default",
  "google",
  "amazon",
  "azure",
  "github"
]

Description: Enable registry client helpers

features.reports.chunkSize📜

Type: int

Default value
1000

Description: Reports chunk size

features.ttlController.reconciliationInterval📜

Type: string

Default value
"1m"

Description: Reconciliation interval for the label based cleanup manager

features.tuf.enabled📜

Type: bool

Default value
false

Description: Enables the feature

features.tuf.root📜

Type: string

Default value
nil

Description: Tuf root

features.tuf.mirror📜

Type: string

Default value
nil

Description: Tuf mirror

cleanupJobs.rbac.serviceAccount.automountServiceAccountToken.enabled📜

Type: bool

Default value
false

cleanupJobs.admissionReports.enabled📜

Type: bool

Default value
true

Description: Enable cleanup cronjob

cleanupJobs.admissionReports.automountServiceAccountToken.enabled📜

Type: bool

Default value
true

cleanupJobs.admissionReports.image.registry📜

Type: string

Default value
"registry1.dso.mil"

Description: Image registry

cleanupJobs.admissionReports.image.repository📜

Type: string

Default value
"ironbank/opensource/kubernetes/kubectl"

Description: Image repository

cleanupJobs.admissionReports.image.tag📜

Type: string

Default value
"v1.28.4"

Description: Image tag Defaults to latest if omitted

cleanupJobs.admissionReports.image.pullPolicy📜

Type: string

Default value
nil

Description: Image pull policy Defaults to image.pullPolicy if omitted

cleanupJobs.admissionReports.imagePullSecrets📜

Type: list

Default value
[{"name":"private-registry"}]
Default value (formatted)
[
  {
    "name": "private-registry"
  }
]

Description: Image pull secrets

cleanupJobs.admissionReports.schedule📜

Type: string

Default value
"*/10 * * * *"

Description: Cronjob schedule

cleanupJobs.admissionReports.threshold📜

Type: int

Default value
10000

Description: Reports threshold, if number of reports are above this value the cronjob will start deleting them

cleanupJobs.admissionReports.history📜

Type: object

Default value
{"failure":1,"success":1}
Default value (formatted)
{
  "failure": 1,
  "success": 1
}

Description: Cronjob history

cleanupJobs.admissionReports.podSecurityContext📜

Type: object

Default value
{"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000}
Default value (formatted)
{
  "runAsGroup": 1000,
  "runAsNonRoot": true,
  "runAsUser": 1000
}

Description: Security context for the pod

cleanupJobs.admissionReports.securityContext📜

Type: object

Default value
{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}}
Default value (formatted)
{
  "allowPrivilegeEscalation": false,
  "capabilities": {
    "drop": [
      "ALL"
    ]
  },
  "privileged": false,
  "readOnlyRootFilesystem": true,
  "runAsGroup": 1000,
  "runAsNonRoot": true,
  "runAsUser": 1000,
  "seccompProfile": {
    "type": "RuntimeDefault"
  }
}

Description: Security context for the containers

cleanupJobs.admissionReports.resources📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Job resources

cleanupJobs.admissionReports.tolerations📜

Type: list

Default value
[]
Default value (formatted)
[]

Description: List of node taints to tolerate

cleanupJobs.admissionReports.nodeSelector📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Node labels for pod assignment

cleanupJobs.admissionReports.podAnnotations📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Pod Annotations

cleanupJobs.admissionReports.podLabels📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Pod labels

cleanupJobs.admissionReports.podAntiAffinity📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Pod anti affinity constraints.

cleanupJobs.admissionReports.podAffinity📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Pod affinity constraints.

cleanupJobs.admissionReports.nodeAffinity📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Node affinity constraints.

cleanupJobs.clusterAdmissionReports.enabled📜

Type: bool

Default value
true

Description: Enable cleanup cronjob

cleanupJobs.clusterAdmissionReports.automountServiceAccountToken.enabled📜

Type: bool

Default value
true

cleanupJobs.clusterAdmissionReports.image.registry📜

Type: string

Default value
"registry1.dso.mil"

Description: Image registry

cleanupJobs.clusterAdmissionReports.image.repository📜

Type: string

Default value
"ironbank/opensource/kubernetes/kubectl"

Description: Image repository

cleanupJobs.clusterAdmissionReports.image.tag📜

Type: string

Default value
"v1.28.4"

Description: Image tag Defaults to latest if omitted

cleanupJobs.clusterAdmissionReports.image.pullPolicy📜

Type: string

Default value
nil

Description: Image pull policy Defaults to image.pullPolicy if omitted

cleanupJobs.clusterAdmissionReports.imagePullSecrets📜

Type: list

Default value
[{"name":"private-registry"}]
Default value (formatted)
[
  {
    "name": "private-registry"
  }
]

Description: Image pull secrets

cleanupJobs.clusterAdmissionReports.schedule📜

Type: string

Default value
"*/10 * * * *"

Description: Cronjob schedule

cleanupJobs.clusterAdmissionReports.threshold📜

Type: int

Default value
10000

Description: Reports threshold, if number of reports are above this value the cronjob will start deleting them

cleanupJobs.clusterAdmissionReports.history📜

Type: object

Default value
{"failure":1,"success":1}
Default value (formatted)
{
  "failure": 1,
  "success": 1
}

Description: Cronjob history

cleanupJobs.clusterAdmissionReports.podSecurityContext📜

Type: object

Default value
{"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000}
Default value (formatted)
{
  "runAsGroup": 1000,
  "runAsNonRoot": true,
  "runAsUser": 1000
}

Description: Security context for the pod

cleanupJobs.clusterAdmissionReports.securityContext📜

Type: object

Default value
{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}}
Default value (formatted)
{
  "allowPrivilegeEscalation": false,
  "capabilities": {
    "drop": [
      "ALL"
    ]
  },
  "privileged": false,
  "readOnlyRootFilesystem": true,
  "runAsGroup": 1000,
  "runAsNonRoot": true,
  "runAsUser": 1000,
  "seccompProfile": {
    "type": "RuntimeDefault"
  }
}

Description: Security context for the containers

cleanupJobs.clusterAdmissionReports.resources📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Job resources

cleanupJobs.clusterAdmissionReports.tolerations📜

Type: list

Default value
[]
Default value (formatted)
[]

Description: List of node taints to tolerate

cleanupJobs.clusterAdmissionReports.nodeSelector📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Node labels for pod assignment

cleanupJobs.clusterAdmissionReports.podAnnotations📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Pod Annotations

cleanupJobs.clusterAdmissionReports.podLabels📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Pod Labels

cleanupJobs.clusterAdmissionReports.podAntiAffinity📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Pod anti affinity constraints.

cleanupJobs.clusterAdmissionReports.podAffinity📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Pod affinity constraints.

cleanupJobs.clusterAdmissionReports.nodeAffinity📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Node affinity constraints.

admissionController.featuresOverride📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Overrides features defined at the root level

admissionController.rbac.create📜

Type: bool

Default value
true

Description: Create RBAC resources

admissionController.rbac.serviceAccount.name📜

Type: string

Default value
nil

Description: The ServiceAccount name

admissionController.rbac.serviceAccount.annotations📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Annotations for the ServiceAccount

admissionController.rbac.serviceAccount.automountServiceAccountToken.enabled📜

Type: bool

Default value
false

admissionController.rbac.deployment.automountServiceAccountToken.enabled📜

Type: bool

Default value
true

admissionController.rbac.clusterRole.extraResources📜

Type: list

Default value
[]
Default value (formatted)
[]

Description: Extra resource permissions to add in the cluster role

admissionController.createSelfSignedCert📜

Type: bool

Default value
false

Description: Create self-signed certificates at deployment time. The certificates won’t be automatically renewed if this is set to true.

admissionController.replicas📜

Type: int

Default value
3

Description: Desired number of pods

admissionController.podLabels📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Additional labels to add to each pod

admissionController.podAnnotations📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Additional annotations to add to each pod

admissionController.priorityClassName📜

Type: string

Default value
""

Description: Optional priority class

admissionController.apiPriorityAndFairness📜

Type: bool

Default value
false

Description: Change apiPriorityAndFairness to true if you want to insulate the API calls made by Kyverno admission controller activities. This will help ensure Kyverno stability in busy clusters. Ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/

admissionController.hostNetwork📜

Type: bool

Default value
false

Description: Change hostNetwork to true when you want the pod to share its host’s network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the dnsPolicy accordingly as well to suit the host network mode.

admissionController.dnsPolicy📜

Type: string

Default value
"ClusterFirst"

Description: dnsPolicy determines the manner in which DNS resolution happens in the cluster. In case of hostNetwork: true, usually, the dnsPolicy is suitable to be ClusterFirstWithHostNet. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.

admissionController.nodeSelector📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Node labels for pod assignment

admissionController.tolerations📜

Type: list

Default value
[]
Default value (formatted)
[]

Description: List of node taints to tolerate

admissionController.antiAffinity.enabled📜

Type: bool

Default value
true

Description: Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node.

admissionController.podAffinity📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Pod affinity constraints.

admissionController.nodeAffinity📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Node affinity constraints.

admissionController.topologySpreadConstraints📜

Type: list

Default value
[]
Default value (formatted)
[]

Description: Topology spread constraints.

admissionController.podSecurityContext📜

Type: object

Default value
{"runAsGroup":10001,"runAsNonRoot":true,"runAsUser":10001}
Default value (formatted)
{
  "runAsGroup": 10001,
  "runAsNonRoot": true,
  "runAsUser": 10001
}

Description: Security context for the pod

admissionController.podDisruptionBudget.enabled📜

Type: bool

Default value
false

Description: Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.

admissionController.podDisruptionBudget.minAvailable📜

Type: int

Default value
1

Description: Configures the minimum available pods for disruptions. Cannot be used if maxUnavailable is set.

admissionController.podDisruptionBudget.maxUnavailable📜

Type: string

Default value
nil

Description: Configures the maximum unavailable pods for disruptions. Cannot be used if minAvailable is set.

admissionController.tufRootMountPath📜

Type: string

Default value
"/.sigstore"

Description: A writable volume to use for the TUF root initialization.

admissionController.sigstoreVolume📜

Type: object

Default value
{"emptyDir":{}}
Default value (formatted)
{
  "emptyDir": {}
}

Description: Volume to be mounted in pods for TUF/cosign work.

admissionController.imagePullSecrets📜

Type: list

Default value
[{"name":"private-registry"}]
Default value (formatted)
[
  {
    "name": "private-registry"
  }
]

Description: Image pull secrets

admissionController.initContainer.image.registry📜

Type: string

Default value
"registry1.dso.mil"

Description: Image registry

admissionController.initContainer.image.repository📜

Type: string

Default value
"ironbank/opensource/kyverno/kyvernopre"

Description: Image repository

admissionController.initContainer.image.tag📜

Type: string

Default value
"v1.11.1"

Description: Image tag If missing, defaults to image.tag

admissionController.initContainer.image.pullPolicy📜

Type: string

Default value
nil

Description: Image pull policy If missing, defaults to image.pullPolicy

admissionController.initContainer.resources.limits📜

Type: object

Default value
{"cpu":"100m","memory":"256Mi"}
Default value (formatted)
{
  "cpu": "100m",
  "memory": "256Mi"
}

Description: Pod resource limits

admissionController.initContainer.resources.requests📜

Type: object

Default value
{"cpu":"10m","memory":"64Mi"}
Default value (formatted)
{
  "cpu": "10m",
  "memory": "64Mi"
}

Description: Pod resource requests

admissionController.initContainer.securityContext📜

Type: object

Default value
{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":10001,"runAsNonRoot":true,"runAsUser":10001,"seccompProfile":{"type":"RuntimeDefault"}}
Default value (formatted)
{
  "allowPrivilegeEscalation": false,
  "capabilities": {
    "drop": [
      "ALL"
    ]
  },
  "privileged": false,
  "readOnlyRootFilesystem": true,
  "runAsGroup": 10001,
  "runAsNonRoot": true,
  "runAsUser": 10001,
  "seccompProfile": {
    "type": "RuntimeDefault"
  }
}

Description: Container security context

admissionController.initContainer.extraArgs📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Additional container args.

admissionController.initContainer.extraEnvVars📜

Type: list

Default value
[]
Default value (formatted)
[]

Description: Additional container environment variables.

admissionController.container.image.registry📜

Type: string

Default value
"registry1.dso.mil"

Description: Image registry

admissionController.container.image.repository📜

Type: string

Default value
"ironbank/opensource/kyverno"

Description: Image repository

admissionController.container.image.tag📜

Type: string

Default value
"v1.11.1"

Description: Image tag Defaults to appVersion in Chart.yaml if omitted

admissionController.container.image.pullPolicy📜

Type: string

Default value
"IfNotPresent"

Description: Image pull policy

admissionController.container.imagePullSecrets📜

Type: list

Default value
[{"name":"private-registry"}]
Default value (formatted)
[
  {
    "name": "private-registry"
  }
]

Description: Image pull secrets

admissionController.container.resources.limits📜

Type: object

Default value
{"cpu":"500m","memory":"512Mi"}
Default value (formatted)
{
  "cpu": "500m",
  "memory": "512Mi"
}

Description: Pod resource limits

admissionController.container.resources.requests📜

Type: object

Default value
{"cpu":"500m","memory":"512Mi"}
Default value (formatted)
{
  "cpu": "500m",
  "memory": "512Mi"
}

Description: Pod resource requests

admissionController.container.securityContext📜

Type: object

Default value
{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":10001,"runAsNonRoot":true,"runAsUser":10001,"seccompProfile":{"type":"RuntimeDefault"}}
Default value (formatted)
{
  "allowPrivilegeEscalation": false,
  "capabilities": {
    "drop": [
      "ALL"
    ]
  },
  "privileged": false,
  "readOnlyRootFilesystem": true,
  "runAsGroup": 10001,
  "runAsNonRoot": true,
  "runAsUser": 10001,
  "seccompProfile": {
    "type": "RuntimeDefault"
  }
}

Description: Container security context

admissionController.container.extraArgs📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Additional container args.

admissionController.container.extraEnvVars📜

Type: list

Default value
[]
Default value (formatted)
[]

Description: Additional container environment variables.

admissionController.extraInitContainers📜

Type: list

Default value
[]
Default value (formatted)
[]

Description: Array of extra init containers

admissionController.extraContainers📜

Type: list

Default value
[]
Default value (formatted)
[]

Description: Array of extra containers to run alongside kyverno

admissionController.service.port📜

Type: int

Default value
443

Description: Service port.

admissionController.service.type📜

Type: string

Default value
"ClusterIP"

Description: Service type.

admissionController.service.nodePort📜

Type: string

Default value
nil

Description: Service node port. Only used if type is NodePort.

admissionController.service.annotations📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Service annotations.

admissionController.metricsService.create📜

Type: bool

Default value
true

Description: Create service.

admissionController.metricsService.port📜

Type: int

Default value
8000

Description: Service port. Kyverno’s metrics server will be exposed at this port.

admissionController.metricsService.type📜

Type: string

Default value
"ClusterIP"

Description: Service type.

admissionController.metricsService.nodePort📜

Type: string

Default value
nil

Description: Service node port. Only used if type is NodePort.

admissionController.metricsService.annotations📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Service annotations.

admissionController.networkPolicy.enabled📜

Type: bool

Default value
false

Description: When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.

admissionController.networkPolicy.ingressFrom📜

Type: list

Default value
[]
Default value (formatted)
[]

Description: A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.

admissionController.serviceMonitor.enabled📜

Type: bool

Default value
false

Description: Create a ServiceMonitor to collect Prometheus metrics.

admissionController.serviceMonitor.additionalLabels📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Additional labels

admissionController.serviceMonitor.namespace📜

Type: string

Default value
nil

Description: Override namespace

admissionController.serviceMonitor.interval📜

Type: string

Default value
"30s"

Description: Interval to scrape metrics

admissionController.serviceMonitor.scrapeTimeout📜

Type: string

Default value
"25s"

Description: Timeout if metrics can’t be retrieved in given time interval

admissionController.serviceMonitor.secure📜

Type: bool

Default value
false

Description: Is TLS required for endpoint

admissionController.serviceMonitor.tlsConfig📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: TLS Configuration for endpoint

admissionController.serviceMonitor.relabelings📜

Type: list

Default value
[]
Default value (formatted)
[]

Description: RelabelConfigs to apply to samples before scraping

admissionController.serviceMonitor.metricRelabelings📜

Type: list

Default value
[]
Default value (formatted)
[]

Description: MetricRelabelConfigs to apply to samples before ingestion.

admissionController.tracing.enabled📜

Type: bool

Default value
false

Description: Enable tracing

admissionController.tracing.address📜

Type: string

Default value
nil

Description: Traces receiver address

admissionController.tracing.port📜

Type: string

Default value
nil

Description: Traces receiver port

admissionController.tracing.creds📜

Type: string

Default value
""

Description: Traces receiver credentials

admissionController.metering.disabled📜

Type: bool

Default value
false

Description: Disable metrics export

admissionController.metering.config📜

Type: string

Default value
"prometheus"

Description: Otel configuration, can be prometheus or grpc

admissionController.metering.port📜

Type: int

Default value
8000

Description: Prometheus endpoint port

admissionController.metering.collector📜

Type: string

Default value
""

Description: Otel collector endpoint

admissionController.metering.creds📜

Type: string

Default value
""

Description: Otel collector credentials

backgroundController.featuresOverride📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Overrides features defined at the root level

backgroundController.enabled📜

Type: bool

Default value
true

Description: Enable background controller.

backgroundController.rbac.create📜

Type: bool

Default value
true

Description: Create RBAC resources

backgroundController.rbac.serviceAccount.name📜

Type: string

Default value
nil

Description: Service account name

backgroundController.rbac.serviceAccount.annotations📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Annotations for the ServiceAccount

backgroundController.rbac.serviceAccount.automountServiceAccountToken.enabled📜

Type: bool

Default value
false

backgroundController.rbac.deployment.automountServiceAccountToken.enabled📜

Type: bool

Default value
true

backgroundController.rbac.clusterRole.extraResources📜

Type: list

Default value
[]
Default value (formatted)
[]

Description: Extra resource permissions to add in the cluster role

backgroundController.image.registry📜

Type: string

Default value
"registry1.dso.mil"

Description: Image registry

backgroundController.image.repository📜

Type: string

Default value
"ironbank/opensource/kyverno/kyverno/background-controller"

Description: Image repository

backgroundController.image.tag📜

Type: string

Default value
"v1.11.1"

Description: Image tag Defaults to appVersion in Chart.yaml if omitted

backgroundController.image.pullPolicy📜

Type: string

Default value
"IfNotPresent"

Description: Image pull policy

backgroundController.imagePullSecrets📜

Type: list

Default value
[{"name":"private-registry"}]
Default value (formatted)
[
  {
    "name": "private-registry"
  }
]

Description: Image pull secrets

backgroundController.replicas📜

Type: int

Default value
nil

Description: Desired number of pods

backgroundController.podLabels📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Additional labels to add to each pod

backgroundController.podAnnotations📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Additional annotations to add to each pod

backgroundController.priorityClassName📜

Type: string

Default value
""

Description: Optional priority class

backgroundController.hostNetwork📜

Type: bool

Default value
false

Description: Change hostNetwork to true when you want the pod to share its host’s network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the dnsPolicy accordingly as well to suit the host network mode.

backgroundController.dnsPolicy📜

Type: string

Default value
"ClusterFirst"

Description: dnsPolicy determines the manner in which DNS resolution happens in the cluster. In case of hostNetwork: true, usually, the dnsPolicy is suitable to be ClusterFirstWithHostNet. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.

backgroundController.extraArgs📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Extra arguments passed to the container on the command line

backgroundController.extraEnvVars📜

Type: list

Default value
[]
Default value (formatted)
[]

Description: Additional container environment variables.

backgroundController.resources.limits📜

Type: object

Default value
{"memory":"128Mi"}
Default value (formatted)
{
  "memory": "128Mi"
}

Description: Pod resource limits

backgroundController.resources.requests📜

Type: object

Default value
{"cpu":"100m","memory":"64Mi"}
Default value (formatted)
{
  "cpu": "100m",
  "memory": "64Mi"
}

Description: Pod resource requests

backgroundController.nodeSelector📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Node labels for pod assignment

backgroundController.tolerations📜

Type: list

Default value
[]
Default value (formatted)
[]

Description: List of node taints to tolerate

backgroundController.antiAffinity.enabled📜

Type: bool

Default value
true

Description: Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node.

backgroundController.podAffinity📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Pod affinity constraints.

backgroundController.nodeAffinity📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Node affinity constraints.

backgroundController.topologySpreadConstraints📜

Type: list

Default value
[]
Default value (formatted)
[]

Description: Topology spread constraints.

backgroundController.podSecurityContext📜

Type: object

Default value
{"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000}
Default value (formatted)
{
  "runAsGroup": 1000,
  "runAsNonRoot": true,
  "runAsUser": 1000
}

Description: Security context for the pod

backgroundController.securityContext📜

Type: object

Default value
{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}}
Default value (formatted)
{
  "allowPrivilegeEscalation": false,
  "capabilities": {
    "drop": [
      "ALL"
    ]
  },
  "privileged": false,
  "readOnlyRootFilesystem": true,
  "runAsGroup": 1000,
  "runAsNonRoot": true,
  "runAsUser": 1000,
  "seccompProfile": {
    "type": "RuntimeDefault"
  }
}

Description: Security context for the containers

backgroundController.podDisruptionBudget.enabled📜

Type: bool

Default value
false

Description: Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.

backgroundController.podDisruptionBudget.minAvailable📜

Type: int

Default value
1

Description: Configures the minimum available pods for disruptions. Cannot be used if maxUnavailable is set.

backgroundController.podDisruptionBudget.maxUnavailable📜

Type: string

Default value
nil

Description: Configures the maximum unavailable pods for disruptions. Cannot be used if minAvailable is set.

backgroundController.metricsService.create📜

Type: bool

Default value
true

Description: Create service.

backgroundController.metricsService.port📜

Type: int

Default value
8000

Description: Service port. Metrics server will be exposed at this port.

backgroundController.metricsService.type📜

Type: string

Default value
"ClusterIP"

Description: Service type.

backgroundController.metricsService.nodePort📜

Type: string

Default value
nil

Description: Service node port. Only used if metricsService.type is NodePort.

backgroundController.metricsService.annotations📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Service annotations.

backgroundController.networkPolicy.enabled📜

Type: bool

Default value
false

Description: When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.

backgroundController.networkPolicy.ingressFrom📜

Type: list

Default value
[]
Default value (formatted)
[]

Description: A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.

backgroundController.serviceMonitor.enabled📜

Type: bool

Default value
false

Description: Create a ServiceMonitor to collect Prometheus metrics.

backgroundController.serviceMonitor.additionalLabels📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Additional labels

backgroundController.serviceMonitor.namespace📜

Type: string

Default value
nil

Description: Override namespace

backgroundController.serviceMonitor.interval📜

Type: string

Default value
"30s"

Description: Interval to scrape metrics

backgroundController.serviceMonitor.scrapeTimeout📜

Type: string

Default value
"25s"

Description: Timeout if metrics can’t be retrieved in given time interval

backgroundController.serviceMonitor.secure📜

Type: bool

Default value
false

Description: Is TLS required for endpoint

backgroundController.serviceMonitor.tlsConfig📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: TLS Configuration for endpoint

backgroundController.serviceMonitor.relabelings📜

Type: list

Default value
[]
Default value (formatted)
[]

Description: RelabelConfigs to apply to samples before scraping

backgroundController.serviceMonitor.metricRelabelings📜

Type: list

Default value
[]
Default value (formatted)
[]

Description: MetricRelabelConfigs to apply to samples before ingestion.

backgroundController.tracing.enabled📜

Type: bool

Default value
false

Description: Enable tracing

backgroundController.tracing.address📜

Type: string

Default value
nil

Description: Traces receiver address

backgroundController.tracing.port📜

Type: string

Default value
nil

Description: Traces receiver port

backgroundController.tracing.creds📜

Type: string

Default value
""

Description: Traces receiver credentials

backgroundController.metering.disabled📜

Type: bool

Default value
false

Description: Disable metrics export

backgroundController.metering.config📜

Type: string

Default value
"prometheus"

Description: Otel configuration, can be prometheus or grpc

backgroundController.metering.port📜

Type: int

Default value
8000

Description: Prometheus endpoint port

backgroundController.metering.collector📜

Type: string

Default value
""

Description: Otel collector endpoint

backgroundController.metering.creds📜

Type: string

Default value
""

Description: Otel collector credentials

cleanupController.featuresOverride📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Overrides features defined at the root level

cleanupController.enabled📜

Type: bool

Default value
true

Description: Enable cleanup controller.

cleanupController.rbac.create📜

Type: bool

Default value
true

Description: Create RBAC resources

cleanupController.rbac.serviceAccount.name📜

Type: string

Default value
nil

Description: Service account name

cleanupController.rbac.serviceAccount.annotations📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Annotations for the ServiceAccount

cleanupController.rbac.serviceAccount.automountServiceAccountToken.enabled📜

Type: bool

Default value
false

cleanupController.rbac.deployment.automountServiceAccountToken.enabled📜

Type: bool

Default value
true

cleanupController.rbac.clusterRole.extraResources📜

Type: list

Default value
[]
Default value (formatted)
[]

Description: Extra resource permissions to add in the cluster role

cleanupController.createSelfSignedCert📜

Type: bool

Default value
false

Description: Create self-signed certificates at deployment time. The certificates won’t be automatically renewed if this is set to true.

cleanupController.image.registry📜

Type: string

Default value
"registry1.dso.mil"

Description: Image registry

cleanupController.image.repository📜

Type: string

Default value
"ironbank/opensource/kyverno/kyverno/cleanup-controller"

Description: Image repository

cleanupController.image.tag📜

Type: string

Default value
"v1.11.1"

Description: Image tag Defaults to appVersion in Chart.yaml if omitted

cleanupController.image.pullPolicy📜

Type: string

Default value
"IfNotPresent"

Description: Image pull policy

cleanupController.imagePullSecrets📜

Type: list

Default value
[{"name":"private-registry"}]
Default value (formatted)
[
  {
    "name": "private-registry"
  }
]

Description: Image pull secrets

cleanupController.replicas📜

Type: int

Default value
nil

Description: Desired number of pods

cleanupController.podLabels📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Additional labels to add to each pod

cleanupController.podAnnotations📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Additional annotations to add to each pod

cleanupController.priorityClassName📜

Type: string

Default value
""

Description: Optional priority class

cleanupController.hostNetwork📜

Type: bool

Default value
false

Description: Change hostNetwork to true when you want the pod to share its host’s network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the dnsPolicy accordingly as well to suit the host network mode.

cleanupController.dnsPolicy📜

Type: string

Default value
"ClusterFirst"

Description: dnsPolicy determines the manner in which DNS resolution happens in the cluster. In case of hostNetwork: true, usually, the dnsPolicy is suitable to be ClusterFirstWithHostNet. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.

cleanupController.extraArgs📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Extra arguments passed to the container on the command line

cleanupController.extraEnvVars📜

Type: list

Default value
[]
Default value (formatted)
[]

Description: Additional container environment variables.

cleanupController.resources.limits📜

Type: object

Default value
{"memory":"128Mi"}
Default value (formatted)
{
  "memory": "128Mi"
}

Description: Pod resource limits

cleanupController.resources.requests📜

Type: object

Default value
{"cpu":"100m","memory":"64Mi"}
Default value (formatted)
{
  "cpu": "100m",
  "memory": "64Mi"
}

Description: Pod resource requests

cleanupController.nodeSelector📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Node labels for pod assignment

cleanupController.tolerations📜

Type: list

Default value
[]
Default value (formatted)
[]

Description: List of node taints to tolerate

cleanupController.antiAffinity.enabled📜

Type: bool

Default value
true

Description: Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node.

cleanupController.podAffinity📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Pod affinity constraints.

cleanupController.nodeAffinity📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Node affinity constraints.

cleanupController.topologySpreadConstraints📜

Type: list

Default value
[]
Default value (formatted)
[]

Description: Topology spread constraints.

cleanupController.podSecurityContext📜

Type: object

Default value
{"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000}
Default value (formatted)
{
  "runAsGroup": 1000,
  "runAsNonRoot": true,
  "runAsUser": 1000
}

Description: Security context for the pod

cleanupController.securityContext📜

Type: object

Default value
{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}}
Default value (formatted)
{
  "allowPrivilegeEscalation": false,
  "capabilities": {
    "drop": [
      "ALL"
    ]
  },
  "privileged": false,
  "readOnlyRootFilesystem": true,
  "runAsGroup": 1000,
  "runAsNonRoot": true,
  "runAsUser": 1000,
  "seccompProfile": {
    "type": "RuntimeDefault"
  }
}

Description: Security context for the containers

cleanupController.podDisruptionBudget.enabled📜

Type: bool

Default value
false

Description: Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.

cleanupController.podDisruptionBudget.minAvailable📜

Type: int

Default value
1

Description: Configures the minimum available pods for disruptions. Cannot be used if maxUnavailable is set.

cleanupController.podDisruptionBudget.maxUnavailable📜

Type: string

Default value
nil

Description: Configures the maximum unavailable pods for disruptions. Cannot be used if minAvailable is set.

cleanupController.service.port📜

Type: int

Default value
443

Description: Service port.

cleanupController.service.type📜

Type: string

Default value
"ClusterIP"

Description: Service type.

cleanupController.service.nodePort📜

Type: string

Default value
nil

Description: Service node port. Only used if service.type is NodePort.

cleanupController.service.annotations📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Service annotations.

cleanupController.metricsService.create📜

Type: bool

Default value
true

Description: Create service.

cleanupController.metricsService.port📜

Type: int

Default value
8000

Description: Service port. Metrics server will be exposed at this port.

cleanupController.metricsService.type📜

Type: string

Default value
"ClusterIP"

Description: Service type.

cleanupController.metricsService.nodePort📜

Type: string

Default value
nil

Description: Service node port. Only used if metricsService.type is NodePort.

cleanupController.metricsService.annotations📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Service annotations.

cleanupController.networkPolicy.enabled📜

Type: bool

Default value
false

Description: When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.

cleanupController.networkPolicy.ingressFrom📜

Type: list

Default value
[]
Default value (formatted)
[]

Description: A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.

cleanupController.serviceMonitor.enabled📜

Type: bool

Default value
false

Description: Create a ServiceMonitor to collect Prometheus metrics.

cleanupController.serviceMonitor.additionalLabels📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Additional labels

cleanupController.serviceMonitor.namespace📜

Type: string

Default value
nil

Description: Override namespace

cleanupController.serviceMonitor.interval📜

Type: string

Default value
"30s"

Description: Interval to scrape metrics

cleanupController.serviceMonitor.scrapeTimeout📜

Type: string

Default value
"25s"

Description: Timeout if metrics can’t be retrieved in given time interval

cleanupController.serviceMonitor.secure📜

Type: bool

Default value
false

Description: Is TLS required for endpoint

cleanupController.serviceMonitor.tlsConfig📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: TLS Configuration for endpoint

cleanupController.serviceMonitor.relabelings📜

Type: list

Default value
[]
Default value (formatted)
[]

Description: RelabelConfigs to apply to samples before scraping

cleanupController.serviceMonitor.metricRelabelings📜

Type: list

Default value
[]
Default value (formatted)
[]

Description: MetricRelabelConfigs to apply to samples before ingestion.

cleanupController.tracing.enabled📜

Type: bool

Default value
false

Description: Enable tracing

cleanupController.tracing.address📜

Type: string

Default value
nil

Description: Traces receiver address

cleanupController.tracing.port📜

Type: string

Default value
nil

Description: Traces receiver port

cleanupController.tracing.creds📜

Type: string

Default value
""

Description: Traces receiver credentials

cleanupController.metering.disabled📜

Type: bool

Default value
false

Description: Disable metrics export

cleanupController.metering.config📜

Type: string

Default value
"prometheus"

Description: Otel configuration, can be prometheus or grpc

cleanupController.metering.port📜

Type: int

Default value
8000

Description: Prometheus endpoint port

cleanupController.metering.collector📜

Type: string

Default value
""

Description: Otel collector endpoint

cleanupController.metering.creds📜

Type: string

Default value
""

Description: Otel collector credentials

reportsController.featuresOverride📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Overrides features defined at the root level

reportsController.enabled📜

Type: bool

Default value
true

Description: Enable reports controller.

reportsController.rbac.create📜

Type: bool

Default value
true

Description: Create RBAC resources

reportsController.rbac.serviceAccount.name📜

Type: string

Default value
nil

Description: Service account name

reportsController.rbac.serviceAccount.annotations📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Annotations for the ServiceAccount

reportsController.rbac.serviceAccount.automountServiceAccountToken.enabled📜

Type: bool

Default value
false

reportsController.rbac.deployment.automountServiceAccountToken.enabled📜

Type: bool

Default value
true

reportsController.rbac.clusterRole.extraResources📜

Type: list

Default value
[]
Default value (formatted)
[]

Description: Extra resource permissions to add in the cluster role

reportsController.image.registry📜

Type: string

Default value
"registry1.dso.mil"

Description: Image registry

reportsController.image.repository📜

Type: string

Default value
"ironbank/opensource/kyverno/kyverno/reports-controller"

Description: Image repository

reportsController.image.tag📜

Type: string

Default value
"v1.11.1"

Description: Image tag Defaults to appVersion in Chart.yaml if omitted

reportsController.image.pullPolicy📜

Type: string

Default value
"IfNotPresent"

Description: Image pull policy

reportsController.imagePullSecrets📜

Type: list

Default value
[{"name":"private-registry"}]
Default value (formatted)
[
  {
    "name": "private-registry"
  }
]

Description: Image pull secrets

reportsController.replicas📜

Type: int

Default value
nil

Description: Desired number of pods

reportsController.podLabels📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Additional labels to add to each pod

reportsController.podAnnotations📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Additional annotations to add to each pod

reportsController.priorityClassName📜

Type: string

Default value
""

Description: Optional priority class

reportsController.apiPriorityAndFairness📜

Type: bool

Default value
false

Description: Change apiPriorityAndFairness to true if you want to insulate the API calls made by Kyverno reports controller activities. This will help ensure Kyverno reports stability in busy clusters. Ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/

reportsController.hostNetwork📜

Type: bool

Default value
false

Description: Change hostNetwork to true when you want the pod to share its host’s network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the dnsPolicy accordingly as well to suit the host network mode.

reportsController.dnsPolicy📜

Type: string

Default value
"ClusterFirst"

Description: dnsPolicy determines the manner in which DNS resolution happens in the cluster. In case of hostNetwork: true, usually, the dnsPolicy is suitable to be ClusterFirstWithHostNet. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.

reportsController.extraArgs📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Extra arguments passed to the container on the command line

reportsController.extraEnvVars📜

Type: list

Default value
[]
Default value (formatted)
[]

Description: Additional container environment variables.

reportsController.resources.limits📜

Type: object

Default value
{"memory":"128Mi"}
Default value (formatted)
{
  "memory": "128Mi"
}

Description: Pod resource limits

reportsController.resources.requests📜

Type: object

Default value
{"cpu":"100m","memory":"64Mi"}
Default value (formatted)
{
  "cpu": "100m",
  "memory": "64Mi"
}

Description: Pod resource requests

reportsController.nodeSelector📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Node labels for pod assignment

reportsController.tolerations📜

Type: list

Default value
[]
Default value (formatted)
[]

Description: List of node taints to tolerate

reportsController.antiAffinity.enabled📜

Type: bool

Default value
true

Description: Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node.

reportsController.podAffinity📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Pod affinity constraints.

reportsController.nodeAffinity📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Node affinity constraints.

reportsController.topologySpreadConstraints📜

Type: list

Default value
[]
Default value (formatted)
[]

Description: Topology spread constraints.

reportsController.podSecurityContext📜

Type: object

Default value
{"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000}
Default value (formatted)
{
  "runAsGroup": 1000,
  "runAsNonRoot": true,
  "runAsUser": 1000
}

Description: Security context for the pod

reportsController.securityContext📜

Type: object

Default value
{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}}
Default value (formatted)
{
  "allowPrivilegeEscalation": false,
  "capabilities": {
    "drop": [
      "ALL"
    ]
  },
  "privileged": false,
  "readOnlyRootFilesystem": true,
  "runAsGroup": 1000,
  "runAsNonRoot": true,
  "runAsUser": 1000,
  "seccompProfile": {
    "type": "RuntimeDefault"
  }
}

Description: Security context for the containers

reportsController.podDisruptionBudget.enabled📜

Type: bool

Default value
false

Description: Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.

reportsController.podDisruptionBudget.minAvailable📜

Type: int

Default value
1

Description: Configures the minimum available pods for disruptions. Cannot be used if maxUnavailable is set.

reportsController.podDisruptionBudget.maxUnavailable📜

Type: string

Default value
nil

Description: Configures the maximum unavailable pods for disruptions. Cannot be used if minAvailable is set.

reportsController.tufRootMountPath📜

Type: string

Default value
"/.sigstore"

Description: A writable volume to use for the TUF root initialization.

reportsController.sigstoreVolume📜

Type: object

Default value
{"emptyDir":{}}
Default value (formatted)
{
  "emptyDir": {}
}

Description: Volume to be mounted in pods for TUF/cosign work.

reportsController.metricsService.create📜

Type: bool

Default value
true

Description: Create service.

reportsController.metricsService.port📜

Type: int

Default value
8000

Description: Service port. Metrics server will be exposed at this port.

reportsController.metricsService.type📜

Type: string

Default value
"ClusterIP"

Description: Service type.

reportsController.metricsService.nodePort📜

Type: string

Default value
nil

Description: Service node port. Only used if type is NodePort.

reportsController.metricsService.annotations📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Service annotations.

reportsController.networkPolicy.enabled📜

Type: bool

Default value
false

Description: When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.

reportsController.networkPolicy.ingressFrom📜

Type: list

Default value
[]
Default value (formatted)
[]

Description: A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.

reportsController.serviceMonitor.enabled📜

Type: bool

Default value
false

Description: Create a ServiceMonitor to collect Prometheus metrics.

reportsController.serviceMonitor.additionalLabels📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: Additional labels

reportsController.serviceMonitor.namespace📜

Type: string

Default value
nil

Description: Override namespace

reportsController.serviceMonitor.interval📜

Type: string

Default value
"30s"

Description: Interval to scrape metrics

reportsController.serviceMonitor.scrapeTimeout📜

Type: string

Default value
"25s"

Description: Timeout if metrics can’t be retrieved in given time interval

reportsController.serviceMonitor.secure📜

Type: bool

Default value
false

Description: Is TLS required for endpoint

reportsController.serviceMonitor.tlsConfig📜

Type: object

Default value
{}
Default value (formatted)
{}

Description: TLS Configuration for endpoint

reportsController.serviceMonitor.relabelings📜

Type: list

Default value
[]
Default value (formatted)
[]

Description: RelabelConfigs to apply to samples before scraping

reportsController.serviceMonitor.metricRelabelings📜

Type: list

Default value
[]
Default value (formatted)
[]

Description: MetricRelabelConfigs to apply to samples before ingestion.

reportsController.tracing.enabled📜

Type: bool

Default value
false

Description: Enable tracing

reportsController.tracing.address📜

Type: string

Default value
nil

Description: Traces receiver address

reportsController.tracing.port📜

Type: string

Default value
nil

Description: Traces receiver port

reportsController.tracing.creds📜

Type: string

Default value
nil

Description: Traces receiver credentials

reportsController.metering.disabled📜

Type: bool

Default value
false

Description: Disable metrics export

reportsController.metering.config📜

Type: string

Default value
"prometheus"

Description: Otel configuration, can be prometheus or grpc

reportsController.metering.port📜

Type: int

Default value
8000

Description: Prometheus endpoint port

reportsController.metering.collector📜

Type: string

Default value
nil

Description: Otel collector endpoint

reportsController.metering.creds📜

Type: string

Default value
nil

Description: Otel collector credentials

networkPolicies.enabled📜

Type: bool

Default value
false

networkPolicies.controlPlaneCidr📜

Type: string

Default value
"0.0.0.0/0"

networkPolicies.externalRegistries.allowEgress📜

Type: bool

Default value
false

networkPolicies.externalRegistries.ports📜

Type: list

Default value
[]
Default value (formatted)
[]

networkPolicies.allowExternalRegistryEgress📜

Type: bool

Default value
false

istio.enabled📜

Type: bool

Default value
false

openshift📜

Type: bool

Default value
false

bbtests.enabled📜

Type: bool

Default value
false

bbtests.scripts.image📜

Type: string

Default value
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.28.4"

bbtests.scripts.additionalVolumeMounts[0].name📜

Type: string

Default value
"kyverno-bbtest-manifest"

bbtests.scripts.additionalVolumeMounts[0].mountPath📜

Type: string

Default value
"/yaml"

bbtests.scripts.additionalVolumes[0].name📜

Type: string

Default value
"kyverno-bbtest-manifest"

bbtests.scripts.additionalVolumes[0].configMap.name📜

Type: string

Default value
"kyverno-bbtest-manifest"