kyverno values.yaml
π
templatingπ
Type: object
debug: false
enabled: false
version: null
Description: Internal settings used with helm template
to generate install manifest @ignored
global.image.registryπ
Type: string
nil
Description: Global value that allows to set a single image registry across all deployments. When set, it will override any values set under .image.registry
across the chart.
nameOverrideπ
Type: string
nil
Description: Override the name of the chart
fullnameOverrideπ
Type: string
nil
Description: Override the expanded name of the chart
namespaceOverrideπ
Type: string
nil
Description: Override the namespace the chart deploys to
upgrade.fromV2π
Type: bool
true
Description: Upgrading from v2 to v3 is not allowed by default, set this to true once changes have been reviewed.
apiVersionOverride.podDisruptionBudgetπ
Type: string
"policy/v1"
Description: Override api version used to create PodDisruptionBudget`` resources. When not specified the chart will check if
policy/v1/PodDisruptionBudget` is available to determine the api version automatically.
crds.installπ
Type: bool
true
Description: Whether to have Helm install the Kyverno CRDs, if the CRDs are not installed by Helm, they must be added before policies can be created
crds.annotationsπ
Type: object
{}
Description: Additional CRDs annotations
crds.customLabelsπ
Type: object
{}
Description: Additional CRDs labels
config.createπ
Type: bool
true
Description: Create the configmap.
config.nameπ
Type: string
nil
Description: The configmap name (required if create
is false
).
config.annotationsπ
Type: object
{}
Description: Additional annotations to add to the configmap.
config.enableDefaultRegistryMutationπ
Type: bool
true
Description: Enable registry mutation for container images. Enabled by default.
config.defaultRegistryπ
Type: string
"registry1.dso.mil"
Description: The registry hostname used for the image mutation.
config.excludeGroupsπ
Type: list
- system:nodes
Description: Exclude groups
config.excludeUsernamesπ
Type: list
[]
Description: Exclude usernames
config.excludeRolesπ
Type: list
[]
Description: Exclude roles
config.excludeClusterRolesπ
Type: list
[]
Description: Exclude roles
config.generateSuccessEventsπ
Type: bool
false
Description: Generate success events.
config.webhooksπ
Type: list
[]
Description: Defines the namespaceSelector
in the webhook configurations. Note that it takes a list of namespaceSelector
and/or objectSelector
in the JSON format, and only the first element will be forwarded to the webhook configurations. The Kyverno namespace is excluded if excludeKyvernoNamespace
is true
(default)
config.webhookAnnotationsπ
Type: object
{}
Description: Defines annotations to set on webhook configurations.
config.matchConditionsπ
Type: list
[]
Description: Defines match conditions to set on webhook configurations (requires Kubernetes 1.27+).
config.excludeKyvernoNamespaceπ
Type: bool
true
Description: Exclude Kyverno namespace Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters
config.resourceFiltersExcludeNamespacesπ
Type: list
[]
Description: resourceFilter namespace exclude Namespaces to exclude from the default resourceFilters
metricsConfig.createπ
Type: bool
true
Description: Create the configmap.
metricsConfig.nameπ
Type: string
nil
Description: The configmap name (required if create
is false
).
metricsConfig.annotationsπ
Type: object
{}
Description: Additional annotations to add to the configmap.
metricsConfig.namespaces.includeπ
Type: list
[]
Description: List of namespaces to capture metrics for.
metricsConfig.namespaces.excludeπ
Type: list
[]
Description: list of namespaces to NOT capture metrics for.
metricsConfig.metricsRefreshIntervalπ
Type: string
nil
Description: Rate at which metrics should reset so as to clean up the memory footprint of kyverno metrics, if you might be expecting high memory footprint of Kyvernoβs metrics. Default: 0, no refresh of metrics. WARNING: This flag is not working since Kyverno 1.8.0
metricsConfig.bucketBoundariesπ
Type: list
- 0.005
- 0.01
- 0.025
- 0.05
- 0.1
- 0.25
- 0.5
- 1
- 2.5
- 5
- 10
- 15
- 20
- 25
- 30
Description: Configures the bucket boundaries for all Histogram metrics, changing this configuration requires restart of the kyverno admission controller
metricsConfig.metricsExposureπ
Type: map
nil
Description: Configures the exposure of individual metrics, by default all metrics and all labels are exported, changing this configuration requires restart of the kyverno admission controller
imagePullSecretsπ
Type: object
{}
Description: Image pull secrets for image verification policies, this will define the --imagePullSecrets
argument
existingImagePullSecretsπ
Type: list
- private-registry
Description: Existing Image pull secrets for image verification policies, this will define the --imagePullSecrets
argument
test.image.registryπ
Type: string
"registry1.dso.mil"
Description: Image registry
test.image.repositoryπ
Type: string
"ironbank/redhat/ubi/ubi9-minimal"
Description: Image repository
test.image.tagπ
Type: string
"9.3"
Description: Image tag Defaults to latest
if omitted
test.image.pullPolicyπ
Type: string
nil
Description: Image pull policy Defaults to image.pullPolicy if omitted
test.imagePullSecretsπ
Type: list
- name: private-registry
Description: Image pull secrets
test.resources.limitsπ
Type: object
cpu: 100m
memory: 256Mi
Description: Pod resource limits
test.resources.requestsπ
Type: object
cpu: 10m
memory: 64Mi
Description: Pod resource requests
test.podSecurityContextπ
Type: object
runAsGroup: 65534
runAsNonRoot: true
runAsUser: 65534
Description: Security context for the test pod
test.securityContextπ
Type: object
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 65534
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault
Description: Security context for the test containers
customLabelsπ
Type: object
{}
Description: Additional labels
webhooksCleanup.enabledπ
Type: bool
true
Description: Create a helm pre-delete hook to cleanup webhooks.
webhooksCleanup.image.registryπ
Type: string
"registry1.dso.mil"
Description: Image registry
webhooksCleanup.image.repositoryπ
Type: string
"ironbank/opensource/kubernetes/kubectl"
Description: Image repository
webhooksCleanup.image.tagπ
Type: string
"v1.29.3"
Description: Image tag Defaults to latest
if omitted
webhooksCleanup.image.pullPolicyπ
Type: string
nil
Description: Image pull policy Defaults to image.pullPolicy if omitted
webhooksCleanup.imagePullSecretsπ
Type: list
- name: private-registry
Description: Image pull secrets
webhooksCleanup.automountServiceAccountToken.enabledπ
Type: bool
true
webhooksCleanup.podSecurityContextπ
Type: object
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001
Description: Security context for the pod
webhooksCleanup.nodeSelectorπ
Type: object
{}
Description: Node labels for pod assignment
webhooksCleanup.tolerationsπ
Type: list
[]
Description: List of node taints to tolerate
webhooksCleanup.podAntiAffinityπ
Type: object
{}
Description: Pod anti affinity constraints.
webhooksCleanup.podAffinityπ
Type: object
{}
Description: Pod affinity constraints.
webhooksCleanup.nodeAffinityπ
Type: object
{}
Description: Node affinity constraints.
webhooksCleanup.securityContextπ
Type: object
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001
seccompProfile:
type: RuntimeDefault
Description: Security context for the hook containers
webhooksCleanup.resourcesπ
Type: object
limits:
cpu: '0.5'
memory: 256Mi
requests:
cpu: '0.5'
memory: 256Mi
Description: Resource limits for the containers
policyReportsCleanup.enabledπ
Type: bool
true
Description: Create a helm post-upgrade hook to cleanup the old policy reports.
policyReportsCleanup.image.registryπ
Type: string
"registry1.dso.mil"
Description: Image registry
policyReportsCleanup.image.repositoryπ
Type: string
"ironbank/opensource/kubernetes/kubectl"
Description: Image repository
policyReportsCleanup.image.tagπ
Type: string
"v1.29.3"
Description: Image tag Defaults to latest
if omitted
policyReportsCleanup.image.pullPolicyπ
Type: string
nil
Description: Image pull policy Defaults to image.pullPolicy if omitted
policyReportsCleanup.imagePullSecretsπ
Type: list
- name: private-registry
Description: Image pull secrets
policyReportsCleanup.podSecurityContextπ
Type: object
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001
Description: Security context for the pod
policyReportsCleanup.nodeSelectorπ
Type: object
{}
Description: Node labels for pod assignment
policyReportsCleanup.tolerationsπ
Type: list
[]
Description: List of node taints to tolerate
policyReportsCleanup.podAntiAffinityπ
Type: object
{}
Description: Pod anti affinity constraints.
policyReportsCleanup.podAffinityπ
Type: object
{}
Description: Pod affinity constraints.
policyReportsCleanup.nodeAffinityπ
Type: object
{}
Description: Node affinity constraints.
policyReportsCleanup.securityContextπ
Type: object
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001
seccompProfile:
type: RuntimeDefault
Description: Security context for the hook containers
policyReportsCleanup.resourcesπ
Type: object
limits:
cpu: '0.5'
memory: 256Mi
requests:
cpu: '0.5'
memory: 256Mi
Description: Resource limits for the containers
grafana.enabledπ
Type: bool
false
Description: Enable grafana dashboard creation.
grafana.configMapNameπ
Type: string
"{{ include \"kyverno.fullname\" . }}-grafana"
Description: Configmap name template.
grafana.namespaceπ
Type: string
nil
Description: Namespace to create the grafana dashboard configmap. If not set, it will be created in the same namespace where the chart is deployed.
grafana.annotationsπ
Type: object
{}
Description: Grafana dashboard configmap annotations.
grafana.labelsπ
Type: object
grafana_dashboard: '1'
Description: Grafana dashboard configmap labels
grafana.grafanaDashboardπ
Type: object
create: false
matchLabels:
dashboards: grafana
Description: create GrafanaDashboard custom resource referencing to the configMap. according to https://grafana-operator.github.io/grafana-operator/docs/examples/dashboard_from_configmap/readme/
features.admissionReports.enabledπ
Type: bool
true
Description: Enables the feature
features.aggregateReports.enabledπ
Type: bool
true
Description: Enables the feature
features.policyReports.enabledπ
Type: bool
true
Description: Enables the feature
features.validatingAdmissionPolicyReports.enabledπ
Type: bool
false
Description: Enables the feature
features.autoUpdateWebhooks.enabledπ
Type: bool
true
Description: Enables the feature
features.backgroundScan.enabledπ
Type: bool
true
Description: Enables the feature
features.backgroundScan.backgroundScanWorkersπ
Type: int
2
Description: Number of background scan workers
features.backgroundScan.backgroundScanIntervalπ
Type: string
"1h"
Description: Background scan interval
features.backgroundScan.skipResourceFiltersπ
Type: bool
true
Description: Skips resource filters in background scan
features.configMapCaching.enabledπ
Type: bool
true
Description: Enables the feature
features.deferredLoading.enabledπ
Type: bool
true
Description: Enables the feature
features.dumpPayload.enabledπ
Type: bool
false
Description: Enables the feature
features.forceFailurePolicyIgnore.enabledπ
Type: bool
false
Description: Enables the feature
features.generateValidatingAdmissionPolicy.enabledπ
Type: bool
false
Description: Enables the feature
features.logging.formatπ
Type: string
"text"
Description: Logging format
features.logging.verbosityπ
Type: int
2
Description: Logging verbosity
features.omitEvents.eventTypesπ
Type: list
[]
Description: Events which should not be emitted (possible values PolicyViolation
, PolicyApplied
, PolicyError
, and PolicySkipped
)
features.policyExceptions.enabledπ
Type: bool
true
Description: Enables the feature
features.policyExceptions.namespaceπ
Type: string
"kyverno"
Description: Restrict policy exceptions to a single namespace
features.protectManagedResources.enabledπ
Type: bool
false
Description: Enables the feature
features.registryClient.allowInsecureπ
Type: bool
false
Description: Allow insecure registry
features.registryClient.credentialHelpersπ
Type: list
- default
- google
- amazon
- azure
- github
Description: Enable registry client helpers
features.reports.chunkSizeπ
Type: int
1000
Description: Reports chunk size
features.ttlController.reconciliationIntervalπ
Type: string
"1m"
Description: Reconciliation interval for the label based cleanup manager
features.tuf.enabledπ
Type: bool
false
Description: Enables the feature
features.tuf.rootπ
Type: string
nil
Description: Tuf root
features.tuf.mirrorπ
Type: string
nil
Description: Tuf mirror
cleanupJobs.rbac.serviceAccount.automountServiceAccountToken.enabledπ
Type: bool
false
cleanupJobs.admissionReports.enabledπ
Type: bool
true
Description: Enable cleanup cronjob
cleanupJobs.admissionReports.automountServiceAccountToken.enabledπ
Type: bool
true
cleanupJobs.admissionReports.image.registryπ
Type: string
"registry1.dso.mil"
Description: Image registry
cleanupJobs.admissionReports.image.repositoryπ
Type: string
"ironbank/opensource/kubernetes/kubectl"
Description: Image repository
cleanupJobs.admissionReports.image.tagπ
Type: string
"v1.29.3"
Description: Image tag Defaults to latest
if omitted
cleanupJobs.admissionReports.image.pullPolicyπ
Type: string
nil
Description: Image pull policy Defaults to image.pullPolicy if omitted
cleanupJobs.admissionReports.imagePullSecretsπ
Type: list
- name: private-registry
Description: Image pull secrets
cleanupJobs.admissionReports.scheduleπ
Type: string
"*/10 * * * *"
Description: Cronjob schedule
cleanupJobs.admissionReports.thresholdπ
Type: int
10000
Description: Reports threshold, if number of reports are above this value the cronjob will start deleting them
cleanupJobs.admissionReports.historyπ
Type: object
failure: 1
success: 1
Description: Cronjob history
cleanupJobs.admissionReports.podSecurityContextπ
Type: object
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
Description: Security context for the pod
cleanupJobs.admissionReports.securityContextπ
Type: object
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
Description: Security context for the containers
cleanupJobs.admissionReports.resourcesπ
Type: object
{}
Description: Job resources
cleanupJobs.admissionReports.tolerationsπ
Type: list
[]
Description: List of node taints to tolerate
cleanupJobs.admissionReports.nodeSelectorπ
Type: object
{}
Description: Node labels for pod assignment
cleanupJobs.admissionReports.podAnnotationsπ
Type: object
{}
Description: Pod Annotations
cleanupJobs.admissionReports.podLabelsπ
Type: object
{}
Description: Pod labels
cleanupJobs.admissionReports.podAntiAffinityπ
Type: object
{}
Description: Pod anti affinity constraints.
cleanupJobs.admissionReports.podAffinityπ
Type: object
{}
Description: Pod affinity constraints.
cleanupJobs.admissionReports.nodeAffinityπ
Type: object
{}
Description: Node affinity constraints.
cleanupJobs.clusterAdmissionReports.enabledπ
Type: bool
true
Description: Enable cleanup cronjob
cleanupJobs.clusterAdmissionReports.automountServiceAccountToken.enabledπ
Type: bool
true
cleanupJobs.clusterAdmissionReports.image.registryπ
Type: string
"registry1.dso.mil"
Description: Image registry
cleanupJobs.clusterAdmissionReports.image.repositoryπ
Type: string
"ironbank/opensource/kubernetes/kubectl"
Description: Image repository
cleanupJobs.clusterAdmissionReports.image.tagπ
Type: string
"v1.29.3"
Description: Image tag Defaults to latest
if omitted
cleanupJobs.clusterAdmissionReports.image.pullPolicyπ
Type: string
nil
Description: Image pull policy Defaults to image.pullPolicy if omitted
cleanupJobs.clusterAdmissionReports.imagePullSecretsπ
Type: list
- name: private-registry
Description: Image pull secrets
cleanupJobs.clusterAdmissionReports.scheduleπ
Type: string
"*/10 * * * *"
Description: Cronjob schedule
cleanupJobs.clusterAdmissionReports.thresholdπ
Type: int
10000
Description: Reports threshold, if number of reports are above this value the cronjob will start deleting them
cleanupJobs.clusterAdmissionReports.historyπ
Type: object
failure: 1
success: 1
Description: Cronjob history
cleanupJobs.clusterAdmissionReports.podSecurityContextπ
Type: object
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
Description: Security context for the pod
cleanupJobs.clusterAdmissionReports.securityContextπ
Type: object
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
Description: Security context for the containers
cleanupJobs.clusterAdmissionReports.resourcesπ
Type: object
{}
Description: Job resources
cleanupJobs.clusterAdmissionReports.tolerationsπ
Type: list
[]
Description: List of node taints to tolerate
cleanupJobs.clusterAdmissionReports.nodeSelectorπ
Type: object
{}
Description: Node labels for pod assignment
cleanupJobs.clusterAdmissionReports.podAnnotationsπ
Type: object
{}
Description: Pod Annotations
cleanupJobs.clusterAdmissionReports.podLabelsπ
Type: object
{}
Description: Pod Labels
cleanupJobs.clusterAdmissionReports.podAntiAffinityπ
Type: object
{}
Description: Pod anti affinity constraints.
cleanupJobs.clusterAdmissionReports.podAffinityπ
Type: object
{}
Description: Pod affinity constraints.
cleanupJobs.clusterAdmissionReports.nodeAffinityπ
Type: object
{}
Description: Node affinity constraints.
admissionController.featuresOverrideπ
Type: object
{}
Description: Overrides features defined at the root level
admissionController.rbac.createπ
Type: bool
true
Description: Create RBAC resources
admissionController.rbac.serviceAccount.nameπ
Type: string
nil
Description: The ServiceAccount name
admissionController.rbac.serviceAccount.annotationsπ
Type: object
{}
Description: Annotations for the ServiceAccount
admissionController.rbac.serviceAccount.automountServiceAccountToken.enabledπ
Type: bool
false
admissionController.rbac.deployment.automountServiceAccountToken.enabledπ
Type: bool
true
admissionController.rbac.clusterRole.extraResourcesπ
Type: list
[]
Description: Extra resource permissions to add in the cluster role
admissionController.createSelfSignedCertπ
Type: bool
false
Description: Create self-signed certificates at deployment time. The certificates wonβt be automatically renewed if this is set to true
.
admissionController.replicasπ
Type: int
3
Description: Desired number of pods
admissionController.podLabelsπ
Type: object
{}
Description: Additional labels to add to each pod
admissionController.podAnnotationsπ
Type: object
{}
Description: Additional annotations to add to each pod
admissionController.priorityClassNameπ
Type: string
""
Description: Optional priority class
admissionController.apiPriorityAndFairnessπ
Type: bool
false
Description: Change apiPriorityAndFairness
to true
if you want to insulate the API calls made by Kyverno admission controller activities. This will help ensure Kyverno stability in busy clusters. Ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/
admissionController.hostNetworkπ
Type: bool
false
Description: Change hostNetwork
to true
when you want the pod to share its hostβs network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the dnsPolicy
accordingly as well to suit the host network mode.
admissionController.dnsPolicyπ
Type: string
"ClusterFirst"
Description: dnsPolicy
determines the manner in which DNS resolution happens in the cluster. In case of hostNetwork: true
, usually, the dnsPolicy
is suitable to be ClusterFirstWithHostNet
. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
admissionController.nodeSelectorπ
Type: object
{}
Description: Node labels for pod assignment
admissionController.tolerationsπ
Type: list
[]
Description: List of node taints to tolerate
admissionController.antiAffinity.enabledπ
Type: bool
true
Description: Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node.
admissionController.podAffinityπ
Type: object
{}
Description: Pod affinity constraints.
admissionController.nodeAffinityπ
Type: object
{}
Description: Node affinity constraints.
admissionController.topologySpreadConstraintsπ
Type: list
[]
Description: Topology spread constraints.
admissionController.podSecurityContextπ
Type: object
runAsGroup: 10001
runAsNonRoot: true
runAsUser: 10001
Description: Security context for the pod
admissionController.podDisruptionBudget.enabledπ
Type: bool
false
Description: Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.
admissionController.podDisruptionBudget.minAvailableπ
Type: int
1
Description: Configures the minimum available pods for disruptions. Cannot be used if maxUnavailable
is set.
admissionController.podDisruptionBudget.maxUnavailableπ
Type: string
nil
Description: Configures the maximum unavailable pods for disruptions. Cannot be used if minAvailable
is set.
admissionController.tufRootMountPathπ
Type: string
"/.sigstore"
Description: A writable volume to use for the TUF root initialization.
admissionController.sigstoreVolumeπ
Type: object
emptyDir: {}
Description: Volume to be mounted in pods for TUF/cosign work.
admissionController.imagePullSecretsπ
Type: list
- name: private-registry
Description: Image pull secrets
admissionController.initContainer.image.registryπ
Type: string
"registry1.dso.mil"
Description: Image registry
admissionController.initContainer.image.repositoryπ
Type: string
"ironbank/opensource/kyverno/kyvernopre"
Description: Image repository
admissionController.initContainer.image.tagπ
Type: string
"v1.11.4"
Description: Image tag If missing, defaults to image.tag
admissionController.initContainer.image.pullPolicyπ
Type: string
nil
Description: Image pull policy If missing, defaults to image.pullPolicy
admissionController.initContainer.resources.limitsπ
Type: object
cpu: 100m
memory: 256Mi
Description: Pod resource limits
admissionController.initContainer.resources.requestsπ
Type: object
cpu: 10m
memory: 64Mi
Description: Pod resource requests
admissionController.initContainer.securityContextπ
Type: object
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 10001
runAsNonRoot: true
runAsUser: 10001
seccompProfile:
type: RuntimeDefault
Description: Container security context
admissionController.initContainer.extraArgsπ
Type: object
{}
Description: Additional container args.
admissionController.initContainer.extraEnvVarsπ
Type: list
[]
Description: Additional container environment variables.
admissionController.container.image.registryπ
Type: string
"registry1.dso.mil"
Description: Image registry
admissionController.container.image.repositoryπ
Type: string
"ironbank/opensource/kyverno"
Description: Image repository
admissionController.container.image.tagπ
Type: string
"v1.11.4"
Description: Image tag Defaults to appVersion in Chart.yaml if omitted
admissionController.container.image.pullPolicyπ
Type: string
"IfNotPresent"
Description: Image pull policy
admissionController.container.imagePullSecretsπ
Type: list
- name: private-registry
Description: Image pull secrets
admissionController.container.resources.limitsπ
Type: object
cpu: 500m
memory: 512Mi
Description: Pod resource limits
admissionController.container.resources.requestsπ
Type: object
cpu: 500m
memory: 512Mi
Description: Pod resource requests
admissionController.container.securityContextπ
Type: object
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 10001
runAsNonRoot: true
runAsUser: 10001
seccompProfile:
type: RuntimeDefault
Description: Container security context
admissionController.container.extraArgsπ
Type: object
{}
Description: Additional container args.
admissionController.container.extraEnvVarsπ
Type: list
[]
Description: Additional container environment variables.
admissionController.extraInitContainersπ
Type: list
[]
Description: Array of extra init containers
admissionController.extraContainersπ
Type: list
[]
Description: Array of extra containers to run alongside kyverno
admissionController.service.portπ
Type: int
443
Description: Service port.
admissionController.service.typeπ
Type: string
"ClusterIP"
Description: Service type.
admissionController.service.nodePortπ
Type: string
nil
Description: Service node port. Only used if type
is NodePort
.
admissionController.service.annotationsπ
Type: object
{}
Description: Service annotations.
admissionController.metricsService.createπ
Type: bool
true
Description: Create service.
admissionController.metricsService.portπ
Type: int
8000
Description: Service port. Kyvernoβs metrics server will be exposed at this port.
admissionController.metricsService.typeπ
Type: string
"ClusterIP"
Description: Service type.
admissionController.metricsService.nodePortπ
Type: string
nil
Description: Service node port. Only used if type
is NodePort
.
admissionController.metricsService.annotationsπ
Type: object
{}
Description: Service annotations.
admissionController.networkPolicy.enabledπ
Type: bool
false
Description: When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
admissionController.networkPolicy.ingressFromπ
Type: list
[]
Description: A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
admissionController.serviceMonitor.enabledπ
Type: bool
false
Description: Create a ServiceMonitor
to collect Prometheus metrics.
admissionController.serviceMonitor.additionalLabelsπ
Type: object
{}
Description: Additional labels
admissionController.serviceMonitor.namespaceπ
Type: string
nil
Description: Override namespace
admissionController.serviceMonitor.intervalπ
Type: string
"30s"
Description: Interval to scrape metrics
admissionController.serviceMonitor.scrapeTimeoutπ
Type: string
"25s"
Description: Timeout if metrics canβt be retrieved in given time interval
admissionController.serviceMonitor.secureπ
Type: bool
false
Description: Is TLS required for endpoint
admissionController.serviceMonitor.tlsConfigπ
Type: object
{}
Description: TLS Configuration for endpoint
admissionController.serviceMonitor.relabelingsπ
Type: list
[]
Description: RelabelConfigs to apply to samples before scraping
admissionController.serviceMonitor.metricRelabelingsπ
Type: list
[]
Description: MetricRelabelConfigs to apply to samples before ingestion.
admissionController.tracing.enabledπ
Type: bool
false
Description: Enable tracing
admissionController.tracing.addressπ
Type: string
nil
Description: Traces receiver address
admissionController.tracing.portπ
Type: string
nil
Description: Traces receiver port
admissionController.tracing.credsπ
Type: string
""
Description: Traces receiver credentials
admissionController.metering.disabledπ
Type: bool
false
Description: Disable metrics export
admissionController.metering.configπ
Type: string
"prometheus"
Description: Otel configuration, can be prometheus
or grpc
admissionController.metering.portπ
Type: int
8000
Description: Prometheus endpoint port
admissionController.metering.collectorπ
Type: string
""
Description: Otel collector endpoint
admissionController.metering.credsπ
Type: string
""
Description: Otel collector credentials
backgroundController.featuresOverrideπ
Type: object
{}
Description: Overrides features defined at the root level
backgroundController.enabledπ
Type: bool
true
Description: Enable background controller.
backgroundController.rbac.createπ
Type: bool
true
Description: Create RBAC resources
backgroundController.rbac.serviceAccount.nameπ
Type: string
nil
Description: Service account name
backgroundController.rbac.serviceAccount.annotationsπ
Type: object
{}
Description: Annotations for the ServiceAccount
backgroundController.rbac.serviceAccount.automountServiceAccountToken.enabledπ
Type: bool
false
backgroundController.rbac.deployment.automountServiceAccountToken.enabledπ
Type: bool
true
backgroundController.rbac.clusterRole.extraResourcesπ
Type: list
[]
Description: Extra resource permissions to add in the cluster role
backgroundController.image.registryπ
Type: string
"registry1.dso.mil"
Description: Image registry
backgroundController.image.repositoryπ
Type: string
"ironbank/opensource/kyverno/kyverno/background-controller"
Description: Image repository
backgroundController.image.tagπ
Type: string
"v1.11.4"
Description: Image tag Defaults to appVersion in Chart.yaml if omitted
backgroundController.image.pullPolicyπ
Type: string
"IfNotPresent"
Description: Image pull policy
backgroundController.imagePullSecretsπ
Type: list
- name: private-registry
Description: Image pull secrets
backgroundController.replicasπ
Type: int
nil
Description: Desired number of pods
backgroundController.podLabelsπ
Type: object
{}
Description: Additional labels to add to each pod
backgroundController.podAnnotationsπ
Type: object
{}
Description: Additional annotations to add to each pod
backgroundController.priorityClassNameπ
Type: string
""
Description: Optional priority class
backgroundController.hostNetworkπ
Type: bool
false
Description: Change hostNetwork
to true
when you want the pod to share its hostβs network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the dnsPolicy
accordingly as well to suit the host network mode.
backgroundController.dnsPolicyπ
Type: string
"ClusterFirst"
Description: dnsPolicy
determines the manner in which DNS resolution happens in the cluster. In case of hostNetwork: true
, usually, the dnsPolicy
is suitable to be ClusterFirstWithHostNet
. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
backgroundController.extraArgsπ
Type: object
{}
Description: Extra arguments passed to the container on the command line
backgroundController.extraEnvVarsπ
Type: list
[]
Description: Additional container environment variables.
backgroundController.resources.limitsπ
Type: object
memory: 128Mi
Description: Pod resource limits
backgroundController.resources.requestsπ
Type: object
cpu: 100m
memory: 64Mi
Description: Pod resource requests
backgroundController.nodeSelectorπ
Type: object
{}
Description: Node labels for pod assignment
backgroundController.tolerationsπ
Type: list
[]
Description: List of node taints to tolerate
backgroundController.antiAffinity.enabledπ
Type: bool
true
Description: Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node.
backgroundController.podAffinityπ
Type: object
{}
Description: Pod affinity constraints.
backgroundController.nodeAffinityπ
Type: object
{}
Description: Node affinity constraints.
backgroundController.topologySpreadConstraintsπ
Type: list
[]
Description: Topology spread constraints.
backgroundController.podSecurityContextπ
Type: object
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
Description: Security context for the pod
backgroundController.securityContextπ
Type: object
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
Description: Security context for the containers
backgroundController.podDisruptionBudget.enabledπ
Type: bool
false
Description: Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.
backgroundController.podDisruptionBudget.minAvailableπ
Type: int
1
Description: Configures the minimum available pods for disruptions. Cannot be used if maxUnavailable
is set.
backgroundController.podDisruptionBudget.maxUnavailableπ
Type: string
nil
Description: Configures the maximum unavailable pods for disruptions. Cannot be used if minAvailable
is set.
backgroundController.metricsService.createπ
Type: bool
true
Description: Create service.
backgroundController.metricsService.portπ
Type: int
8000
Description: Service port. Metrics server will be exposed at this port.
backgroundController.metricsService.typeπ
Type: string
"ClusterIP"
Description: Service type.
backgroundController.metricsService.nodePortπ
Type: string
nil
Description: Service node port. Only used if metricsService.type
is NodePort
.
backgroundController.metricsService.annotationsπ
Type: object
{}
Description: Service annotations.
backgroundController.networkPolicy.enabledπ
Type: bool
false
Description: When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
backgroundController.networkPolicy.ingressFromπ
Type: list
[]
Description: A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
backgroundController.serviceMonitor.enabledπ
Type: bool
false
Description: Create a ServiceMonitor
to collect Prometheus metrics.
backgroundController.serviceMonitor.additionalLabelsπ
Type: object
{}
Description: Additional labels
backgroundController.serviceMonitor.namespaceπ
Type: string
nil
Description: Override namespace
backgroundController.serviceMonitor.intervalπ
Type: string
"30s"
Description: Interval to scrape metrics
backgroundController.serviceMonitor.scrapeTimeoutπ
Type: string
"25s"
Description: Timeout if metrics canβt be retrieved in given time interval
backgroundController.serviceMonitor.secureπ
Type: bool
false
Description: Is TLS required for endpoint
backgroundController.serviceMonitor.tlsConfigπ
Type: object
{}
Description: TLS Configuration for endpoint
backgroundController.serviceMonitor.relabelingsπ
Type: list
[]
Description: RelabelConfigs to apply to samples before scraping
backgroundController.serviceMonitor.metricRelabelingsπ
Type: list
[]
Description: MetricRelabelConfigs to apply to samples before ingestion.
backgroundController.tracing.enabledπ
Type: bool
false
Description: Enable tracing
backgroundController.tracing.addressπ
Type: string
nil
Description: Traces receiver address
backgroundController.tracing.portπ
Type: string
nil
Description: Traces receiver port
backgroundController.tracing.credsπ
Type: string
""
Description: Traces receiver credentials
backgroundController.metering.disabledπ
Type: bool
false
Description: Disable metrics export
backgroundController.metering.configπ
Type: string
"prometheus"
Description: Otel configuration, can be prometheus
or grpc
backgroundController.metering.portπ
Type: int
8000
Description: Prometheus endpoint port
backgroundController.metering.collectorπ
Type: string
""
Description: Otel collector endpoint
backgroundController.metering.credsπ
Type: string
""
Description: Otel collector credentials
cleanupController.featuresOverrideπ
Type: object
{}
Description: Overrides features defined at the root level
cleanupController.enabledπ
Type: bool
true
Description: Enable cleanup controller.
cleanupController.rbac.createπ
Type: bool
true
Description: Create RBAC resources
cleanupController.rbac.serviceAccount.nameπ
Type: string
nil
Description: Service account name
cleanupController.rbac.serviceAccount.annotationsπ
Type: object
{}
Description: Annotations for the ServiceAccount
cleanupController.rbac.serviceAccount.automountServiceAccountToken.enabledπ
Type: bool
false
cleanupController.rbac.deployment.automountServiceAccountToken.enabledπ
Type: bool
true
cleanupController.rbac.clusterRole.extraResourcesπ
Type: list
[]
Description: Extra resource permissions to add in the cluster role
cleanupController.createSelfSignedCertπ
Type: bool
false
Description: Create self-signed certificates at deployment time. The certificates wonβt be automatically renewed if this is set to true
.
cleanupController.image.registryπ
Type: string
"registry1.dso.mil"
Description: Image registry
cleanupController.image.repositoryπ
Type: string
"ironbank/opensource/kyverno/kyverno/cleanup-controller"
Description: Image repository
cleanupController.image.tagπ
Type: string
"v1.11.4"
Description: Image tag Defaults to appVersion in Chart.yaml if omitted
cleanupController.image.pullPolicyπ
Type: string
"IfNotPresent"
Description: Image pull policy
cleanupController.imagePullSecretsπ
Type: list
- name: private-registry
Description: Image pull secrets
cleanupController.replicasπ
Type: int
nil
Description: Desired number of pods
cleanupController.podLabelsπ
Type: object
{}
Description: Additional labels to add to each pod
cleanupController.podAnnotationsπ
Type: object
{}
Description: Additional annotations to add to each pod
cleanupController.priorityClassNameπ
Type: string
""
Description: Optional priority class
cleanupController.hostNetworkπ
Type: bool
false
Description: Change hostNetwork
to true
when you want the pod to share its hostβs network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the dnsPolicy
accordingly as well to suit the host network mode.
cleanupController.dnsPolicyπ
Type: string
"ClusterFirst"
Description: dnsPolicy
determines the manner in which DNS resolution happens in the cluster. In case of hostNetwork: true
, usually, the dnsPolicy
is suitable to be ClusterFirstWithHostNet
. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
cleanupController.extraArgsπ
Type: object
{}
Description: Extra arguments passed to the container on the command line
cleanupController.extraEnvVarsπ
Type: list
[]
Description: Additional container environment variables.
cleanupController.resources.limitsπ
Type: object
memory: 128Mi
Description: Pod resource limits
cleanupController.resources.requestsπ
Type: object
cpu: 100m
memory: 64Mi
Description: Pod resource requests
cleanupController.nodeSelectorπ
Type: object
{}
Description: Node labels for pod assignment
cleanupController.tolerationsπ
Type: list
[]
Description: List of node taints to tolerate
cleanupController.antiAffinity.enabledπ
Type: bool
true
Description: Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node.
cleanupController.podAffinityπ
Type: object
{}
Description: Pod affinity constraints.
cleanupController.nodeAffinityπ
Type: object
{}
Description: Node affinity constraints.
cleanupController.topologySpreadConstraintsπ
Type: list
[]
Description: Topology spread constraints.
cleanupController.podSecurityContextπ
Type: object
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
Description: Security context for the pod
cleanupController.securityContextπ
Type: object
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
Description: Security context for the containers
cleanupController.podDisruptionBudget.enabledπ
Type: bool
false
Description: Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.
cleanupController.podDisruptionBudget.minAvailableπ
Type: int
1
Description: Configures the minimum available pods for disruptions. Cannot be used if maxUnavailable
is set.
cleanupController.podDisruptionBudget.maxUnavailableπ
Type: string
nil
Description: Configures the maximum unavailable pods for disruptions. Cannot be used if minAvailable
is set.
cleanupController.service.portπ
Type: int
443
Description: Service port.
cleanupController.service.typeπ
Type: string
"ClusterIP"
Description: Service type.
cleanupController.service.nodePortπ
Type: string
nil
Description: Service node port. Only used if service.type
is NodePort
.
cleanupController.service.annotationsπ
Type: object
{}
Description: Service annotations.
cleanupController.metricsService.createπ
Type: bool
true
Description: Create service.
cleanupController.metricsService.portπ
Type: int
8000
Description: Service port. Metrics server will be exposed at this port.
cleanupController.metricsService.typeπ
Type: string
"ClusterIP"
Description: Service type.
cleanupController.metricsService.nodePortπ
Type: string
nil
Description: Service node port. Only used if metricsService.type
is NodePort
.
cleanupController.metricsService.annotationsπ
Type: object
{}
Description: Service annotations.
cleanupController.networkPolicy.enabledπ
Type: bool
false
Description: When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
cleanupController.networkPolicy.ingressFromπ
Type: list
[]
Description: A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
cleanupController.serviceMonitor.enabledπ
Type: bool
false
Description: Create a ServiceMonitor
to collect Prometheus metrics.
cleanupController.serviceMonitor.additionalLabelsπ
Type: object
{}
Description: Additional labels
cleanupController.serviceMonitor.namespaceπ
Type: string
nil
Description: Override namespace
cleanupController.serviceMonitor.intervalπ
Type: string
"30s"
Description: Interval to scrape metrics
cleanupController.serviceMonitor.scrapeTimeoutπ
Type: string
"25s"
Description: Timeout if metrics canβt be retrieved in given time interval
cleanupController.serviceMonitor.secureπ
Type: bool
false
Description: Is TLS required for endpoint
cleanupController.serviceMonitor.tlsConfigπ
Type: object
{}
Description: TLS Configuration for endpoint
cleanupController.serviceMonitor.relabelingsπ
Type: list
[]
Description: RelabelConfigs to apply to samples before scraping
cleanupController.serviceMonitor.metricRelabelingsπ
Type: list
[]
Description: MetricRelabelConfigs to apply to samples before ingestion.
cleanupController.tracing.enabledπ
Type: bool
false
Description: Enable tracing
cleanupController.tracing.addressπ
Type: string
nil
Description: Traces receiver address
cleanupController.tracing.portπ
Type: string
nil
Description: Traces receiver port
cleanupController.tracing.credsπ
Type: string
""
Description: Traces receiver credentials
cleanupController.metering.disabledπ
Type: bool
false
Description: Disable metrics export
cleanupController.metering.configπ
Type: string
"prometheus"
Description: Otel configuration, can be prometheus
or grpc
cleanupController.metering.portπ
Type: int
8000
Description: Prometheus endpoint port
cleanupController.metering.collectorπ
Type: string
""
Description: Otel collector endpoint
cleanupController.metering.credsπ
Type: string
""
Description: Otel collector credentials
reportsController.featuresOverrideπ
Type: object
{}
Description: Overrides features defined at the root level
reportsController.enabledπ
Type: bool
true
Description: Enable reports controller.
reportsController.rbac.createπ
Type: bool
true
Description: Create RBAC resources
reportsController.rbac.serviceAccount.nameπ
Type: string
nil
Description: Service account name
reportsController.rbac.serviceAccount.annotationsπ
Type: object
{}
Description: Annotations for the ServiceAccount
reportsController.rbac.serviceAccount.automountServiceAccountToken.enabledπ
Type: bool
false
reportsController.rbac.deployment.automountServiceAccountToken.enabledπ
Type: bool
true
reportsController.rbac.clusterRole.extraResourcesπ
Type: list
[]
Description: Extra resource permissions to add in the cluster role
reportsController.image.registryπ
Type: string
"registry1.dso.mil"
Description: Image registry
reportsController.image.repositoryπ
Type: string
"ironbank/opensource/kyverno/kyverno/reports-controller"
Description: Image repository
reportsController.image.tagπ
Type: string
"v1.11.4"
Description: Image tag Defaults to appVersion in Chart.yaml if omitted
reportsController.image.pullPolicyπ
Type: string
"IfNotPresent"
Description: Image pull policy
reportsController.imagePullSecretsπ
Type: list
- name: private-registry
Description: Image pull secrets
reportsController.replicasπ
Type: int
nil
Description: Desired number of pods
reportsController.podLabelsπ
Type: object
{}
Description: Additional labels to add to each pod
reportsController.podAnnotationsπ
Type: object
{}
Description: Additional annotations to add to each pod
reportsController.priorityClassNameπ
Type: string
""
Description: Optional priority class
reportsController.apiPriorityAndFairnessπ
Type: bool
false
Description: Change apiPriorityAndFairness
to true
if you want to insulate the API calls made by Kyverno reports controller activities. This will help ensure Kyverno reports stability in busy clusters. Ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/
reportsController.hostNetworkπ
Type: bool
false
Description: Change hostNetwork
to true
when you want the pod to share its hostβs network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the dnsPolicy
accordingly as well to suit the host network mode.
reportsController.dnsPolicyπ
Type: string
"ClusterFirst"
Description: dnsPolicy
determines the manner in which DNS resolution happens in the cluster. In case of hostNetwork: true
, usually, the dnsPolicy
is suitable to be ClusterFirstWithHostNet
. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
reportsController.extraArgsπ
Type: object
{}
Description: Extra arguments passed to the container on the command line
reportsController.extraEnvVarsπ
Type: list
[]
Description: Additional container environment variables.
reportsController.resources.limitsπ
Type: object
memory: 128Mi
Description: Pod resource limits
reportsController.resources.requestsπ
Type: object
cpu: 100m
memory: 64Mi
Description: Pod resource requests
reportsController.nodeSelectorπ
Type: object
{}
Description: Node labels for pod assignment
reportsController.tolerationsπ
Type: list
[]
Description: List of node taints to tolerate
reportsController.antiAffinity.enabledπ
Type: bool
true
Description: Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node.
reportsController.podAffinityπ
Type: object
{}
Description: Pod affinity constraints.
reportsController.nodeAffinityπ
Type: object
{}
Description: Node affinity constraints.
reportsController.topologySpreadConstraintsπ
Type: list
[]
Description: Topology spread constraints.
reportsController.podSecurityContextπ
Type: object
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
Description: Security context for the pod
reportsController.securityContextπ
Type: object
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
Description: Security context for the containers
reportsController.podDisruptionBudget.enabledπ
Type: bool
false
Description: Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.
reportsController.podDisruptionBudget.minAvailableπ
Type: int
1
Description: Configures the minimum available pods for disruptions. Cannot be used if maxUnavailable
is set.
reportsController.podDisruptionBudget.maxUnavailableπ
Type: string
nil
Description: Configures the maximum unavailable pods for disruptions. Cannot be used if minAvailable
is set.
reportsController.tufRootMountPathπ
Type: string
"/.sigstore"
Description: A writable volume to use for the TUF root initialization.
reportsController.sigstoreVolumeπ
Type: object
emptyDir: {}
Description: Volume to be mounted in pods for TUF/cosign work.
reportsController.metricsService.createπ
Type: bool
true
Description: Create service.
reportsController.metricsService.portπ
Type: int
8000
Description: Service port. Metrics server will be exposed at this port.
reportsController.metricsService.typeπ
Type: string
"ClusterIP"
Description: Service type.
reportsController.metricsService.nodePortπ
Type: string
nil
Description: Service node port. Only used if type
is NodePort
.
reportsController.metricsService.annotationsπ
Type: object
{}
Description: Service annotations.
reportsController.networkPolicy.enabledπ
Type: bool
false
Description: When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
reportsController.networkPolicy.ingressFromπ
Type: list
[]
Description: A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
reportsController.serviceMonitor.enabledπ
Type: bool
false
Description: Create a ServiceMonitor
to collect Prometheus metrics.
reportsController.serviceMonitor.additionalLabelsπ
Type: object
{}
Description: Additional labels
reportsController.serviceMonitor.namespaceπ
Type: string
nil
Description: Override namespace
reportsController.serviceMonitor.intervalπ
Type: string
"30s"
Description: Interval to scrape metrics
reportsController.serviceMonitor.scrapeTimeoutπ
Type: string
"25s"
Description: Timeout if metrics canβt be retrieved in given time interval
reportsController.serviceMonitor.secureπ
Type: bool
false
Description: Is TLS required for endpoint
reportsController.serviceMonitor.tlsConfigπ
Type: object
{}
Description: TLS Configuration for endpoint
reportsController.serviceMonitor.relabelingsπ
Type: list
[]
Description: RelabelConfigs to apply to samples before scraping
reportsController.serviceMonitor.metricRelabelingsπ
Type: list
[]
Description: MetricRelabelConfigs to apply to samples before ingestion.
reportsController.tracing.enabledπ
Type: bool
false
Description: Enable tracing
reportsController.tracing.addressπ
Type: string
nil
Description: Traces receiver address
reportsController.tracing.portπ
Type: string
nil
Description: Traces receiver port
reportsController.tracing.credsπ
Type: string
nil
Description: Traces receiver credentials
reportsController.metering.disabledπ
Type: bool
false
Description: Disable metrics export
reportsController.metering.configπ
Type: string
"prometheus"
Description: Otel configuration, can be prometheus
or grpc
reportsController.metering.portπ
Type: int
8000
Description: Prometheus endpoint port
reportsController.metering.collectorπ
Type: string
nil
Description: Otel collector endpoint
reportsController.metering.credsπ
Type: string
nil
Description: Otel collector credentials
networkPolicies.enabledπ
Type: bool
false
networkPolicies.controlPlaneCidrπ
Type: string
"0.0.0.0/0"
networkPolicies.externalRegistries.allowEgressπ
Type: bool
false
networkPolicies.externalRegistries.portsπ
Type: list
[]
networkPolicies.allowExternalRegistryEgressπ
Type: bool
false
networkPolicies.additionalPoliciesπ
Type: list
[]
istio.enabledπ
Type: bool
false
openshiftπ
Type: bool
false
bbtests.enabledπ
Type: bool
false
bbtests.scripts.imageπ
Type: string
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.29.3"
bbtests.scripts.additionalVolumeMounts[0].nameπ
Type: string
"kyverno-bbtest-manifest"
bbtests.scripts.additionalVolumeMounts[0].mountPathπ
Type: string
"/yaml"
bbtests.scripts.additionalVolumes[0].nameπ
Type: string
"kyverno-bbtest-manifest"
bbtests.scripts.additionalVolumes[0].configMap.nameπ
Type: string
"kyverno-bbtest-manifest"