Skip to content

kyverno values.yamlπŸ“œ

templatingπŸ“œ

Type: object

Default value
debug: false
enabled: false
version: null

Description: Internal settings used with helm template to generate install manifest @ignored

global.image.registryπŸ“œ

Type: string

Default value
nil

Description: Global value that allows to set a single image registry across all deployments. When set, it will override any values set under .image.registry across the chart.

nameOverrideπŸ“œ

Type: string

Default value
nil

Description: Override the name of the chart

fullnameOverrideπŸ“œ

Type: string

Default value
nil

Description: Override the expanded name of the chart

namespaceOverrideπŸ“œ

Type: string

Default value
nil

Description: Override the namespace the chart deploys to

upgrade.fromV2πŸ“œ

Type: bool

Default value
true

Description: Upgrading from v2 to v3 is not allowed by default, set this to true once changes have been reviewed.

apiVersionOverride.podDisruptionBudgetπŸ“œ

Type: string

Default value
"policy/v1"

Description: Override api version used to create PodDisruptionBudget`` resources. When not specified the chart will check ifpolicy/v1/PodDisruptionBudget` is available to determine the api version automatically.

crds.installπŸ“œ

Type: bool

Default value
true

Description: Whether to have Helm install the Kyverno CRDs, if the CRDs are not installed by Helm, they must be added before policies can be created

crds.annotationsπŸ“œ

Type: object

Default value
{}

Description: Additional CRDs annotations

crds.customLabelsπŸ“œ

Type: object

Default value
{}

Description: Additional CRDs labels

config.createπŸ“œ

Type: bool

Default value
true

Description: Create the configmap.

config.nameπŸ“œ

Type: string

Default value
nil

Description: The configmap name (required if create is false).

config.annotationsπŸ“œ

Type: object

Default value
{}

Description: Additional annotations to add to the configmap.

config.enableDefaultRegistryMutationπŸ“œ

Type: bool

Default value
true

Description: Enable registry mutation for container images. Enabled by default.

config.defaultRegistryπŸ“œ

Type: string

Default value
"registry1.dso.mil"

Description: The registry hostname used for the image mutation.

config.excludeGroupsπŸ“œ

Type: list

Default value
- system:nodes

Description: Exclude groups

config.excludeUsernamesπŸ“œ

Type: list

Default value
[]

Description: Exclude usernames

config.excludeRolesπŸ“œ

Type: list

Default value
[]

Description: Exclude roles

config.excludeClusterRolesπŸ“œ

Type: list

Default value
[]

Description: Exclude roles

config.generateSuccessEventsπŸ“œ

Type: bool

Default value
false

Description: Generate success events.

config.webhooksπŸ“œ

Type: list

Default value
[]

Description: Defines the namespaceSelector in the webhook configurations. Note that it takes a list of namespaceSelector and/or objectSelector in the JSON format, and only the first element will be forwarded to the webhook configurations. The Kyverno namespace is excluded if excludeKyvernoNamespace is true (default)

config.webhookAnnotationsπŸ“œ

Type: object

Default value
{}

Description: Defines annotations to set on webhook configurations.

config.matchConditionsπŸ“œ

Type: list

Default value
[]

Description: Defines match conditions to set on webhook configurations (requires Kubernetes 1.27+).

config.excludeKyvernoNamespaceπŸ“œ

Type: bool

Default value
true

Description: Exclude Kyverno namespace Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters

config.resourceFiltersExcludeNamespacesπŸ“œ

Type: list

Default value
[]

Description: resourceFilter namespace exclude Namespaces to exclude from the default resourceFilters

metricsConfig.createπŸ“œ

Type: bool

Default value
true

Description: Create the configmap.

metricsConfig.nameπŸ“œ

Type: string

Default value
nil

Description: The configmap name (required if create is false).

metricsConfig.annotationsπŸ“œ

Type: object

Default value
{}

Description: Additional annotations to add to the configmap.

metricsConfig.namespaces.includeπŸ“œ

Type: list

Default value
[]

Description: List of namespaces to capture metrics for.

metricsConfig.namespaces.excludeπŸ“œ

Type: list

Default value
[]

Description: list of namespaces to NOT capture metrics for.

metricsConfig.metricsRefreshIntervalπŸ“œ

Type: string

Default value
nil

Description: Rate at which metrics should reset so as to clean up the memory footprint of kyverno metrics, if you might be expecting high memory footprint of Kyverno’s metrics. Default: 0, no refresh of metrics. WARNING: This flag is not working since Kyverno 1.8.0

metricsConfig.bucketBoundariesπŸ“œ

Type: list

Default value
- 0.005
- 0.01
- 0.025
- 0.05
- 0.1
- 0.25
- 0.5
- 1
- 2.5
- 5
- 10
- 15
- 20
- 25
- 30

Description: Configures the bucket boundaries for all Histogram metrics, changing this configuration requires restart of the kyverno admission controller

metricsConfig.metricsExposureπŸ“œ

Type: map

Default value
nil

Description: Configures the exposure of individual metrics, by default all metrics and all labels are exported, changing this configuration requires restart of the kyverno admission controller

imagePullSecretsπŸ“œ

Type: object

Default value
{}

Description: Image pull secrets for image verification policies, this will define the --imagePullSecrets argument

existingImagePullSecretsπŸ“œ

Type: list

Default value
- private-registry

Description: Existing Image pull secrets for image verification policies, this will define the --imagePullSecrets argument

test.image.registryπŸ“œ

Type: string

Default value
"registry1.dso.mil"

Description: Image registry

test.image.repositoryπŸ“œ

Type: string

Default value
"ironbank/redhat/ubi/ubi9-minimal"

Description: Image repository

test.image.tagπŸ“œ

Type: string

Default value
"9.3"

Description: Image tag Defaults to latest if omitted

test.image.pullPolicyπŸ“œ

Type: string

Default value
nil

Description: Image pull policy Defaults to image.pullPolicy if omitted

test.imagePullSecretsπŸ“œ

Type: list

Default value
- name: private-registry

Description: Image pull secrets

test.resources.limitsπŸ“œ

Type: object

Default value
cpu: 100m
memory: 256Mi

Description: Pod resource limits

test.resources.requestsπŸ“œ

Type: object

Default value
cpu: 10m
memory: 64Mi

Description: Pod resource requests

test.podSecurityContextπŸ“œ

Type: object

Default value
runAsGroup: 65534
runAsNonRoot: true
runAsUser: 65534

Description: Security context for the test pod

test.securityContextπŸ“œ

Type: object

Default value
allowPrivilegeEscalation: false
capabilities:
  drop:
  - ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 65534
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
  type: RuntimeDefault

Description: Security context for the test containers

customLabelsπŸ“œ

Type: object

Default value
{}

Description: Additional labels

webhooksCleanup.enabledπŸ“œ

Type: bool

Default value
true

Description: Create a helm pre-delete hook to cleanup webhooks.

webhooksCleanup.image.registryπŸ“œ

Type: string

Default value
"registry1.dso.mil"

Description: Image registry

webhooksCleanup.image.repositoryπŸ“œ

Type: string

Default value
"ironbank/opensource/kubernetes/kubectl"

Description: Image repository

webhooksCleanup.image.tagπŸ“œ

Type: string

Default value
"v1.29.3"

Description: Image tag Defaults to latest if omitted

webhooksCleanup.image.pullPolicyπŸ“œ

Type: string

Default value
nil

Description: Image pull policy Defaults to image.pullPolicy if omitted

webhooksCleanup.imagePullSecretsπŸ“œ

Type: list

Default value
- name: private-registry

Description: Image pull secrets

webhooksCleanup.automountServiceAccountToken.enabledπŸ“œ

Type: bool

Default value
true

webhooksCleanup.podSecurityContextπŸ“œ

Type: object

Default value
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001

Description: Security context for the pod

webhooksCleanup.nodeSelectorπŸ“œ

Type: object

Default value
{}

Description: Node labels for pod assignment

webhooksCleanup.tolerationsπŸ“œ

Type: list

Default value
[]

Description: List of node taints to tolerate

webhooksCleanup.podAntiAffinityπŸ“œ

Type: object

Default value
{}

Description: Pod anti affinity constraints.

webhooksCleanup.podAffinityπŸ“œ

Type: object

Default value
{}

Description: Pod affinity constraints.

webhooksCleanup.nodeAffinityπŸ“œ

Type: object

Default value
{}

Description: Node affinity constraints.

webhooksCleanup.securityContextπŸ“œ

Type: object

Default value
allowPrivilegeEscalation: false
capabilities:
  drop:
  - ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001
seccompProfile:
  type: RuntimeDefault

Description: Security context for the hook containers

webhooksCleanup.resourcesπŸ“œ

Type: object

Default value
limits:
  cpu: '0.5'
  memory: 256Mi
requests:
  cpu: '0.5'
  memory: 256Mi

Description: Resource limits for the containers

policyReportsCleanup.enabledπŸ“œ

Type: bool

Default value
true

Description: Create a helm post-upgrade hook to cleanup the old policy reports.

policyReportsCleanup.image.registryπŸ“œ

Type: string

Default value
"registry1.dso.mil"

Description: Image registry

policyReportsCleanup.image.repositoryπŸ“œ

Type: string

Default value
"ironbank/opensource/kubernetes/kubectl"

Description: Image repository

policyReportsCleanup.image.tagπŸ“œ

Type: string

Default value
"v1.29.3"

Description: Image tag Defaults to latest if omitted

policyReportsCleanup.image.pullPolicyπŸ“œ

Type: string

Default value
nil

Description: Image pull policy Defaults to image.pullPolicy if omitted

policyReportsCleanup.imagePullSecretsπŸ“œ

Type: list

Default value
- name: private-registry

Description: Image pull secrets

policyReportsCleanup.podSecurityContextπŸ“œ

Type: object

Default value
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001

Description: Security context for the pod

policyReportsCleanup.nodeSelectorπŸ“œ

Type: object

Default value
{}

Description: Node labels for pod assignment

policyReportsCleanup.tolerationsπŸ“œ

Type: list

Default value
[]

Description: List of node taints to tolerate

policyReportsCleanup.podAntiAffinityπŸ“œ

Type: object

Default value
{}

Description: Pod anti affinity constraints.

policyReportsCleanup.podAffinityπŸ“œ

Type: object

Default value
{}

Description: Pod affinity constraints.

policyReportsCleanup.nodeAffinityπŸ“œ

Type: object

Default value
{}

Description: Node affinity constraints.

policyReportsCleanup.securityContextπŸ“œ

Type: object

Default value
allowPrivilegeEscalation: false
capabilities:
  drop:
  - ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001
seccompProfile:
  type: RuntimeDefault

Description: Security context for the hook containers

policyReportsCleanup.resourcesπŸ“œ

Type: object

Default value
limits:
  cpu: '0.5'
  memory: 256Mi
requests:
  cpu: '0.5'
  memory: 256Mi

Description: Resource limits for the containers

grafana.enabledπŸ“œ

Type: bool

Default value
false

Description: Enable grafana dashboard creation.

grafana.configMapNameπŸ“œ

Type: string

Default value
"{{ include \"kyverno.fullname\" . }}-grafana"

Description: Configmap name template.

grafana.namespaceπŸ“œ

Type: string

Default value
nil

Description: Namespace to create the grafana dashboard configmap. If not set, it will be created in the same namespace where the chart is deployed.

grafana.annotationsπŸ“œ

Type: object

Default value
{}

Description: Grafana dashboard configmap annotations.

grafana.labelsπŸ“œ

Type: object

Default value
grafana_dashboard: '1'

Description: Grafana dashboard configmap labels

grafana.grafanaDashboardπŸ“œ

Type: object

Default value
create: false
matchLabels:
  dashboards: grafana

Description: create GrafanaDashboard custom resource referencing to the configMap. according to https://grafana-operator.github.io/grafana-operator/docs/examples/dashboard_from_configmap/readme/

features.admissionReports.enabledπŸ“œ

Type: bool

Default value
true

Description: Enables the feature

features.aggregateReports.enabledπŸ“œ

Type: bool

Default value
true

Description: Enables the feature

features.policyReports.enabledπŸ“œ

Type: bool

Default value
true

Description: Enables the feature

features.validatingAdmissionPolicyReports.enabledπŸ“œ

Type: bool

Default value
false

Description: Enables the feature

features.autoUpdateWebhooks.enabledπŸ“œ

Type: bool

Default value
true

Description: Enables the feature

features.backgroundScan.enabledπŸ“œ

Type: bool

Default value
true

Description: Enables the feature

features.backgroundScan.backgroundScanWorkersπŸ“œ

Type: int

Default value
2

Description: Number of background scan workers

features.backgroundScan.backgroundScanIntervalπŸ“œ

Type: string

Default value
"1h"

Description: Background scan interval

features.backgroundScan.skipResourceFiltersπŸ“œ

Type: bool

Default value
true

Description: Skips resource filters in background scan

features.configMapCaching.enabledπŸ“œ

Type: bool

Default value
true

Description: Enables the feature

features.deferredLoading.enabledπŸ“œ

Type: bool

Default value
true

Description: Enables the feature

features.dumpPayload.enabledπŸ“œ

Type: bool

Default value
false

Description: Enables the feature

features.forceFailurePolicyIgnore.enabledπŸ“œ

Type: bool

Default value
false

Description: Enables the feature

features.generateValidatingAdmissionPolicy.enabledπŸ“œ

Type: bool

Default value
false

Description: Enables the feature

features.logging.formatπŸ“œ

Type: string

Default value
"text"

Description: Logging format

features.logging.verbosityπŸ“œ

Type: int

Default value
2

Description: Logging verbosity

features.omitEvents.eventTypesπŸ“œ

Type: list

Default value
[]

Description: Events which should not be emitted (possible values PolicyViolation, PolicyApplied, PolicyError, and PolicySkipped)

features.policyExceptions.enabledπŸ“œ

Type: bool

Default value
true

Description: Enables the feature

features.policyExceptions.namespaceπŸ“œ

Type: string

Default value
"kyverno"

Description: Restrict policy exceptions to a single namespace

features.protectManagedResources.enabledπŸ“œ

Type: bool

Default value
false

Description: Enables the feature

features.registryClient.allowInsecureπŸ“œ

Type: bool

Default value
false

Description: Allow insecure registry

features.registryClient.credentialHelpersπŸ“œ

Type: list

Default value
- default
- google
- amazon
- azure
- github

Description: Enable registry client helpers

features.reports.chunkSizeπŸ“œ

Type: int

Default value
1000

Description: Reports chunk size

features.ttlController.reconciliationIntervalπŸ“œ

Type: string

Default value
"1m"

Description: Reconciliation interval for the label based cleanup manager

features.tuf.enabledπŸ“œ

Type: bool

Default value
false

Description: Enables the feature

features.tuf.rootπŸ“œ

Type: string

Default value
nil

Description: Tuf root

features.tuf.mirrorπŸ“œ

Type: string

Default value
nil

Description: Tuf mirror

cleanupJobs.rbac.serviceAccount.automountServiceAccountToken.enabledπŸ“œ

Type: bool

Default value
false

cleanupJobs.admissionReports.enabledπŸ“œ

Type: bool

Default value
true

Description: Enable cleanup cronjob

cleanupJobs.admissionReports.automountServiceAccountToken.enabledπŸ“œ

Type: bool

Default value
true

cleanupJobs.admissionReports.image.registryπŸ“œ

Type: string

Default value
"registry1.dso.mil"

Description: Image registry

cleanupJobs.admissionReports.image.repositoryπŸ“œ

Type: string

Default value
"ironbank/opensource/kubernetes/kubectl"

Description: Image repository

cleanupJobs.admissionReports.image.tagπŸ“œ

Type: string

Default value
"v1.29.3"

Description: Image tag Defaults to latest if omitted

cleanupJobs.admissionReports.image.pullPolicyπŸ“œ

Type: string

Default value
nil

Description: Image pull policy Defaults to image.pullPolicy if omitted

cleanupJobs.admissionReports.imagePullSecretsπŸ“œ

Type: list

Default value
- name: private-registry

Description: Image pull secrets

cleanupJobs.admissionReports.scheduleπŸ“œ

Type: string

Default value
"*/10 * * * *"

Description: Cronjob schedule

cleanupJobs.admissionReports.thresholdπŸ“œ

Type: int

Default value
10000

Description: Reports threshold, if number of reports are above this value the cronjob will start deleting them

cleanupJobs.admissionReports.historyπŸ“œ

Type: object

Default value
failure: 1
success: 1

Description: Cronjob history

cleanupJobs.admissionReports.podSecurityContextπŸ“œ

Type: object

Default value
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000

Description: Security context for the pod

cleanupJobs.admissionReports.securityContextπŸ“œ

Type: object

Default value
allowPrivilegeEscalation: false
capabilities:
  drop:
  - ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
  type: RuntimeDefault

Description: Security context for the containers

cleanupJobs.admissionReports.resourcesπŸ“œ

Type: object

Default value
{}

Description: Job resources

cleanupJobs.admissionReports.tolerationsπŸ“œ

Type: list

Default value
[]

Description: List of node taints to tolerate

cleanupJobs.admissionReports.nodeSelectorπŸ“œ

Type: object

Default value
{}

Description: Node labels for pod assignment

cleanupJobs.admissionReports.podAnnotationsπŸ“œ

Type: object

Default value
{}

Description: Pod Annotations

cleanupJobs.admissionReports.podLabelsπŸ“œ

Type: object

Default value
{}

Description: Pod labels

cleanupJobs.admissionReports.podAntiAffinityπŸ“œ

Type: object

Default value
{}

Description: Pod anti affinity constraints.

cleanupJobs.admissionReports.podAffinityπŸ“œ

Type: object

Default value
{}

Description: Pod affinity constraints.

cleanupJobs.admissionReports.nodeAffinityπŸ“œ

Type: object

Default value
{}

Description: Node affinity constraints.

cleanupJobs.clusterAdmissionReports.enabledπŸ“œ

Type: bool

Default value
true

Description: Enable cleanup cronjob

cleanupJobs.clusterAdmissionReports.automountServiceAccountToken.enabledπŸ“œ

Type: bool

Default value
true

cleanupJobs.clusterAdmissionReports.image.registryπŸ“œ

Type: string

Default value
"registry1.dso.mil"

Description: Image registry

cleanupJobs.clusterAdmissionReports.image.repositoryπŸ“œ

Type: string

Default value
"ironbank/opensource/kubernetes/kubectl"

Description: Image repository

cleanupJobs.clusterAdmissionReports.image.tagπŸ“œ

Type: string

Default value
"v1.29.3"

Description: Image tag Defaults to latest if omitted

cleanupJobs.clusterAdmissionReports.image.pullPolicyπŸ“œ

Type: string

Default value
nil

Description: Image pull policy Defaults to image.pullPolicy if omitted

cleanupJobs.clusterAdmissionReports.imagePullSecretsπŸ“œ

Type: list

Default value
- name: private-registry

Description: Image pull secrets

cleanupJobs.clusterAdmissionReports.scheduleπŸ“œ

Type: string

Default value
"*/10 * * * *"

Description: Cronjob schedule

cleanupJobs.clusterAdmissionReports.thresholdπŸ“œ

Type: int

Default value
10000

Description: Reports threshold, if number of reports are above this value the cronjob will start deleting them

cleanupJobs.clusterAdmissionReports.historyπŸ“œ

Type: object

Default value
failure: 1
success: 1

Description: Cronjob history

cleanupJobs.clusterAdmissionReports.podSecurityContextπŸ“œ

Type: object

Default value
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000

Description: Security context for the pod

cleanupJobs.clusterAdmissionReports.securityContextπŸ“œ

Type: object

Default value
allowPrivilegeEscalation: false
capabilities:
  drop:
  - ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
  type: RuntimeDefault

Description: Security context for the containers

cleanupJobs.clusterAdmissionReports.resourcesπŸ“œ

Type: object

Default value
{}

Description: Job resources

cleanupJobs.clusterAdmissionReports.tolerationsπŸ“œ

Type: list

Default value
[]

Description: List of node taints to tolerate

cleanupJobs.clusterAdmissionReports.nodeSelectorπŸ“œ

Type: object

Default value
{}

Description: Node labels for pod assignment

cleanupJobs.clusterAdmissionReports.podAnnotationsπŸ“œ

Type: object

Default value
{}

Description: Pod Annotations

cleanupJobs.clusterAdmissionReports.podLabelsπŸ“œ

Type: object

Default value
{}

Description: Pod Labels

cleanupJobs.clusterAdmissionReports.podAntiAffinityπŸ“œ

Type: object

Default value
{}

Description: Pod anti affinity constraints.

cleanupJobs.clusterAdmissionReports.podAffinityπŸ“œ

Type: object

Default value
{}

Description: Pod affinity constraints.

cleanupJobs.clusterAdmissionReports.nodeAffinityπŸ“œ

Type: object

Default value
{}

Description: Node affinity constraints.

admissionController.featuresOverrideπŸ“œ

Type: object

Default value
{}

Description: Overrides features defined at the root level

admissionController.rbac.createπŸ“œ

Type: bool

Default value
true

Description: Create RBAC resources

admissionController.rbac.serviceAccount.nameπŸ“œ

Type: string

Default value
nil

Description: The ServiceAccount name

admissionController.rbac.serviceAccount.annotationsπŸ“œ

Type: object

Default value
{}

Description: Annotations for the ServiceAccount

admissionController.rbac.serviceAccount.automountServiceAccountToken.enabledπŸ“œ

Type: bool

Default value
false

admissionController.rbac.deployment.automountServiceAccountToken.enabledπŸ“œ

Type: bool

Default value
true

admissionController.rbac.clusterRole.extraResourcesπŸ“œ

Type: list

Default value
[]

Description: Extra resource permissions to add in the cluster role

admissionController.createSelfSignedCertπŸ“œ

Type: bool

Default value
false

Description: Create self-signed certificates at deployment time. The certificates won’t be automatically renewed if this is set to true.

admissionController.replicasπŸ“œ

Type: int

Default value
3

Description: Desired number of pods

admissionController.podLabelsπŸ“œ

Type: object

Default value
{}

Description: Additional labels to add to each pod

admissionController.podAnnotationsπŸ“œ

Type: object

Default value
{}

Description: Additional annotations to add to each pod

admissionController.priorityClassNameπŸ“œ

Type: string

Default value
""

Description: Optional priority class

admissionController.apiPriorityAndFairnessπŸ“œ

Type: bool

Default value
false

Description: Change apiPriorityAndFairness to true if you want to insulate the API calls made by Kyverno admission controller activities. This will help ensure Kyverno stability in busy clusters. Ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/

admissionController.hostNetworkπŸ“œ

Type: bool

Default value
false

Description: Change hostNetwork to true when you want the pod to share its host’s network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the dnsPolicy accordingly as well to suit the host network mode.

admissionController.dnsPolicyπŸ“œ

Type: string

Default value
"ClusterFirst"

Description: dnsPolicy determines the manner in which DNS resolution happens in the cluster. In case of hostNetwork: true, usually, the dnsPolicy is suitable to be ClusterFirstWithHostNet. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.

admissionController.nodeSelectorπŸ“œ

Type: object

Default value
{}

Description: Node labels for pod assignment

admissionController.tolerationsπŸ“œ

Type: list

Default value
[]

Description: List of node taints to tolerate

admissionController.antiAffinity.enabledπŸ“œ

Type: bool

Default value
true

Description: Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node.

admissionController.podAffinityπŸ“œ

Type: object

Default value
{}

Description: Pod affinity constraints.

admissionController.nodeAffinityπŸ“œ

Type: object

Default value
{}

Description: Node affinity constraints.

admissionController.topologySpreadConstraintsπŸ“œ

Type: list

Default value
[]

Description: Topology spread constraints.

admissionController.podSecurityContextπŸ“œ

Type: object

Default value
runAsGroup: 10001
runAsNonRoot: true
runAsUser: 10001

Description: Security context for the pod

admissionController.podDisruptionBudget.enabledπŸ“œ

Type: bool

Default value
false

Description: Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.

admissionController.podDisruptionBudget.minAvailableπŸ“œ

Type: int

Default value
1

Description: Configures the minimum available pods for disruptions. Cannot be used if maxUnavailable is set.

admissionController.podDisruptionBudget.maxUnavailableπŸ“œ

Type: string

Default value
nil

Description: Configures the maximum unavailable pods for disruptions. Cannot be used if minAvailable is set.

admissionController.tufRootMountPathπŸ“œ

Type: string

Default value
"/.sigstore"

Description: A writable volume to use for the TUF root initialization.

admissionController.sigstoreVolumeπŸ“œ

Type: object

Default value
emptyDir: {}

Description: Volume to be mounted in pods for TUF/cosign work.

admissionController.imagePullSecretsπŸ“œ

Type: list

Default value
- name: private-registry

Description: Image pull secrets

admissionController.initContainer.image.registryπŸ“œ

Type: string

Default value
"registry1.dso.mil"

Description: Image registry

admissionController.initContainer.image.repositoryπŸ“œ

Type: string

Default value
"ironbank/opensource/kyverno/kyvernopre"

Description: Image repository

admissionController.initContainer.image.tagπŸ“œ

Type: string

Default value
"v1.11.4"

Description: Image tag If missing, defaults to image.tag

admissionController.initContainer.image.pullPolicyπŸ“œ

Type: string

Default value
nil

Description: Image pull policy If missing, defaults to image.pullPolicy

admissionController.initContainer.resources.limitsπŸ“œ

Type: object

Default value
cpu: 100m
memory: 256Mi

Description: Pod resource limits

admissionController.initContainer.resources.requestsπŸ“œ

Type: object

Default value
cpu: 10m
memory: 64Mi

Description: Pod resource requests

admissionController.initContainer.securityContextπŸ“œ

Type: object

Default value
allowPrivilegeEscalation: false
capabilities:
  drop:
  - ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 10001
runAsNonRoot: true
runAsUser: 10001
seccompProfile:
  type: RuntimeDefault

Description: Container security context

admissionController.initContainer.extraArgsπŸ“œ

Type: object

Default value
{}

Description: Additional container args.

admissionController.initContainer.extraEnvVarsπŸ“œ

Type: list

Default value
[]

Description: Additional container environment variables.

admissionController.container.image.registryπŸ“œ

Type: string

Default value
"registry1.dso.mil"

Description: Image registry

admissionController.container.image.repositoryπŸ“œ

Type: string

Default value
"ironbank/opensource/kyverno"

Description: Image repository

admissionController.container.image.tagπŸ“œ

Type: string

Default value
"v1.11.4"

Description: Image tag Defaults to appVersion in Chart.yaml if omitted

admissionController.container.image.pullPolicyπŸ“œ

Type: string

Default value
"IfNotPresent"

Description: Image pull policy

admissionController.container.imagePullSecretsπŸ“œ

Type: list

Default value
- name: private-registry

Description: Image pull secrets

admissionController.container.resources.limitsπŸ“œ

Type: object

Default value
cpu: 500m
memory: 512Mi

Description: Pod resource limits

admissionController.container.resources.requestsπŸ“œ

Type: object

Default value
cpu: 500m
memory: 512Mi

Description: Pod resource requests

admissionController.container.securityContextπŸ“œ

Type: object

Default value
allowPrivilegeEscalation: false
capabilities:
  drop:
  - ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 10001
runAsNonRoot: true
runAsUser: 10001
seccompProfile:
  type: RuntimeDefault

Description: Container security context

admissionController.container.extraArgsπŸ“œ

Type: object

Default value
{}

Description: Additional container args.

admissionController.container.extraEnvVarsπŸ“œ

Type: list

Default value
[]

Description: Additional container environment variables.

admissionController.extraInitContainersπŸ“œ

Type: list

Default value
[]

Description: Array of extra init containers

admissionController.extraContainersπŸ“œ

Type: list

Default value
[]

Description: Array of extra containers to run alongside kyverno

admissionController.service.portπŸ“œ

Type: int

Default value
443

Description: Service port.

admissionController.service.typeπŸ“œ

Type: string

Default value
"ClusterIP"

Description: Service type.

admissionController.service.nodePortπŸ“œ

Type: string

Default value
nil

Description: Service node port. Only used if type is NodePort.

admissionController.service.annotationsπŸ“œ

Type: object

Default value
{}

Description: Service annotations.

admissionController.metricsService.createπŸ“œ

Type: bool

Default value
true

Description: Create service.

admissionController.metricsService.portπŸ“œ

Type: int

Default value
8000

Description: Service port. Kyverno’s metrics server will be exposed at this port.

admissionController.metricsService.typeπŸ“œ

Type: string

Default value
"ClusterIP"

Description: Service type.

admissionController.metricsService.nodePortπŸ“œ

Type: string

Default value
nil

Description: Service node port. Only used if type is NodePort.

admissionController.metricsService.annotationsπŸ“œ

Type: object

Default value
{}

Description: Service annotations.

admissionController.networkPolicy.enabledπŸ“œ

Type: bool

Default value
false

Description: When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.

admissionController.networkPolicy.ingressFromπŸ“œ

Type: list

Default value
[]

Description: A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.

admissionController.serviceMonitor.enabledπŸ“œ

Type: bool

Default value
false

Description: Create a ServiceMonitor to collect Prometheus metrics.

admissionController.serviceMonitor.additionalLabelsπŸ“œ

Type: object

Default value
{}

Description: Additional labels

admissionController.serviceMonitor.namespaceπŸ“œ

Type: string

Default value
nil

Description: Override namespace

admissionController.serviceMonitor.intervalπŸ“œ

Type: string

Default value
"30s"

Description: Interval to scrape metrics

admissionController.serviceMonitor.scrapeTimeoutπŸ“œ

Type: string

Default value
"25s"

Description: Timeout if metrics can’t be retrieved in given time interval

admissionController.serviceMonitor.secureπŸ“œ

Type: bool

Default value
false

Description: Is TLS required for endpoint

admissionController.serviceMonitor.tlsConfigπŸ“œ

Type: object

Default value
{}

Description: TLS Configuration for endpoint

admissionController.serviceMonitor.relabelingsπŸ“œ

Type: list

Default value
[]

Description: RelabelConfigs to apply to samples before scraping

admissionController.serviceMonitor.metricRelabelingsπŸ“œ

Type: list

Default value
[]

Description: MetricRelabelConfigs to apply to samples before ingestion.

admissionController.tracing.enabledπŸ“œ

Type: bool

Default value
false

Description: Enable tracing

admissionController.tracing.addressπŸ“œ

Type: string

Default value
nil

Description: Traces receiver address

admissionController.tracing.portπŸ“œ

Type: string

Default value
nil

Description: Traces receiver port

admissionController.tracing.credsπŸ“œ

Type: string

Default value
""

Description: Traces receiver credentials

admissionController.metering.disabledπŸ“œ

Type: bool

Default value
false

Description: Disable metrics export

admissionController.metering.configπŸ“œ

Type: string

Default value
"prometheus"

Description: Otel configuration, can be prometheus or grpc

admissionController.metering.portπŸ“œ

Type: int

Default value
8000

Description: Prometheus endpoint port

admissionController.metering.collectorπŸ“œ

Type: string

Default value
""

Description: Otel collector endpoint

admissionController.metering.credsπŸ“œ

Type: string

Default value
""

Description: Otel collector credentials

backgroundController.featuresOverrideπŸ“œ

Type: object

Default value
{}

Description: Overrides features defined at the root level

backgroundController.enabledπŸ“œ

Type: bool

Default value
true

Description: Enable background controller.

backgroundController.rbac.createπŸ“œ

Type: bool

Default value
true

Description: Create RBAC resources

backgroundController.rbac.serviceAccount.nameπŸ“œ

Type: string

Default value
nil

Description: Service account name

backgroundController.rbac.serviceAccount.annotationsπŸ“œ

Type: object

Default value
{}

Description: Annotations for the ServiceAccount

backgroundController.rbac.serviceAccount.automountServiceAccountToken.enabledπŸ“œ

Type: bool

Default value
false

backgroundController.rbac.deployment.automountServiceAccountToken.enabledπŸ“œ

Type: bool

Default value
true

backgroundController.rbac.clusterRole.extraResourcesπŸ“œ

Type: list

Default value
[]

Description: Extra resource permissions to add in the cluster role

backgroundController.image.registryπŸ“œ

Type: string

Default value
"registry1.dso.mil"

Description: Image registry

backgroundController.image.repositoryπŸ“œ

Type: string

Default value
"ironbank/opensource/kyverno/kyverno/background-controller"

Description: Image repository

backgroundController.image.tagπŸ“œ

Type: string

Default value
"v1.11.4"

Description: Image tag Defaults to appVersion in Chart.yaml if omitted

backgroundController.image.pullPolicyπŸ“œ

Type: string

Default value
"IfNotPresent"

Description: Image pull policy

backgroundController.imagePullSecretsπŸ“œ

Type: list

Default value
- name: private-registry

Description: Image pull secrets

backgroundController.replicasπŸ“œ

Type: int

Default value
nil

Description: Desired number of pods

backgroundController.podLabelsπŸ“œ

Type: object

Default value
{}

Description: Additional labels to add to each pod

backgroundController.podAnnotationsπŸ“œ

Type: object

Default value
{}

Description: Additional annotations to add to each pod

backgroundController.priorityClassNameπŸ“œ

Type: string

Default value
""

Description: Optional priority class

backgroundController.hostNetworkπŸ“œ

Type: bool

Default value
false

Description: Change hostNetwork to true when you want the pod to share its host’s network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the dnsPolicy accordingly as well to suit the host network mode.

backgroundController.dnsPolicyπŸ“œ

Type: string

Default value
"ClusterFirst"

Description: dnsPolicy determines the manner in which DNS resolution happens in the cluster. In case of hostNetwork: true, usually, the dnsPolicy is suitable to be ClusterFirstWithHostNet. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.

backgroundController.extraArgsπŸ“œ

Type: object

Default value
{}

Description: Extra arguments passed to the container on the command line

backgroundController.extraEnvVarsπŸ“œ

Type: list

Default value
[]

Description: Additional container environment variables.

backgroundController.resources.limitsπŸ“œ

Type: object

Default value
memory: 128Mi

Description: Pod resource limits

backgroundController.resources.requestsπŸ“œ

Type: object

Default value
cpu: 100m
memory: 64Mi

Description: Pod resource requests

backgroundController.nodeSelectorπŸ“œ

Type: object

Default value
{}

Description: Node labels for pod assignment

backgroundController.tolerationsπŸ“œ

Type: list

Default value
[]

Description: List of node taints to tolerate

backgroundController.antiAffinity.enabledπŸ“œ

Type: bool

Default value
true

Description: Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node.

backgroundController.podAffinityπŸ“œ

Type: object

Default value
{}

Description: Pod affinity constraints.

backgroundController.nodeAffinityπŸ“œ

Type: object

Default value
{}

Description: Node affinity constraints.

backgroundController.topologySpreadConstraintsπŸ“œ

Type: list

Default value
[]

Description: Topology spread constraints.

backgroundController.podSecurityContextπŸ“œ

Type: object

Default value
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000

Description: Security context for the pod

backgroundController.securityContextπŸ“œ

Type: object

Default value
allowPrivilegeEscalation: false
capabilities:
  drop:
  - ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
  type: RuntimeDefault

Description: Security context for the containers

backgroundController.podDisruptionBudget.enabledπŸ“œ

Type: bool

Default value
false

Description: Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.

backgroundController.podDisruptionBudget.minAvailableπŸ“œ

Type: int

Default value
1

Description: Configures the minimum available pods for disruptions. Cannot be used if maxUnavailable is set.

backgroundController.podDisruptionBudget.maxUnavailableπŸ“œ

Type: string

Default value
nil

Description: Configures the maximum unavailable pods for disruptions. Cannot be used if minAvailable is set.

backgroundController.metricsService.createπŸ“œ

Type: bool

Default value
true

Description: Create service.

backgroundController.metricsService.portπŸ“œ

Type: int

Default value
8000

Description: Service port. Metrics server will be exposed at this port.

backgroundController.metricsService.typeπŸ“œ

Type: string

Default value
"ClusterIP"

Description: Service type.

backgroundController.metricsService.nodePortπŸ“œ

Type: string

Default value
nil

Description: Service node port. Only used if metricsService.type is NodePort.

backgroundController.metricsService.annotationsπŸ“œ

Type: object

Default value
{}

Description: Service annotations.

backgroundController.networkPolicy.enabledπŸ“œ

Type: bool

Default value
false

Description: When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.

backgroundController.networkPolicy.ingressFromπŸ“œ

Type: list

Default value
[]

Description: A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.

backgroundController.serviceMonitor.enabledπŸ“œ

Type: bool

Default value
false

Description: Create a ServiceMonitor to collect Prometheus metrics.

backgroundController.serviceMonitor.additionalLabelsπŸ“œ

Type: object

Default value
{}

Description: Additional labels

backgroundController.serviceMonitor.namespaceπŸ“œ

Type: string

Default value
nil

Description: Override namespace

backgroundController.serviceMonitor.intervalπŸ“œ

Type: string

Default value
"30s"

Description: Interval to scrape metrics

backgroundController.serviceMonitor.scrapeTimeoutπŸ“œ

Type: string

Default value
"25s"

Description: Timeout if metrics can’t be retrieved in given time interval

backgroundController.serviceMonitor.secureπŸ“œ

Type: bool

Default value
false

Description: Is TLS required for endpoint

backgroundController.serviceMonitor.tlsConfigπŸ“œ

Type: object

Default value
{}

Description: TLS Configuration for endpoint

backgroundController.serviceMonitor.relabelingsπŸ“œ

Type: list

Default value
[]

Description: RelabelConfigs to apply to samples before scraping

backgroundController.serviceMonitor.metricRelabelingsπŸ“œ

Type: list

Default value
[]

Description: MetricRelabelConfigs to apply to samples before ingestion.

backgroundController.tracing.enabledπŸ“œ

Type: bool

Default value
false

Description: Enable tracing

backgroundController.tracing.addressπŸ“œ

Type: string

Default value
nil

Description: Traces receiver address

backgroundController.tracing.portπŸ“œ

Type: string

Default value
nil

Description: Traces receiver port

backgroundController.tracing.credsπŸ“œ

Type: string

Default value
""

Description: Traces receiver credentials

backgroundController.metering.disabledπŸ“œ

Type: bool

Default value
false

Description: Disable metrics export

backgroundController.metering.configπŸ“œ

Type: string

Default value
"prometheus"

Description: Otel configuration, can be prometheus or grpc

backgroundController.metering.portπŸ“œ

Type: int

Default value
8000

Description: Prometheus endpoint port

backgroundController.metering.collectorπŸ“œ

Type: string

Default value
""

Description: Otel collector endpoint

backgroundController.metering.credsπŸ“œ

Type: string

Default value
""

Description: Otel collector credentials

cleanupController.featuresOverrideπŸ“œ

Type: object

Default value
{}

Description: Overrides features defined at the root level

cleanupController.enabledπŸ“œ

Type: bool

Default value
true

Description: Enable cleanup controller.

cleanupController.rbac.createπŸ“œ

Type: bool

Default value
true

Description: Create RBAC resources

cleanupController.rbac.serviceAccount.nameπŸ“œ

Type: string

Default value
nil

Description: Service account name

cleanupController.rbac.serviceAccount.annotationsπŸ“œ

Type: object

Default value
{}

Description: Annotations for the ServiceAccount

cleanupController.rbac.serviceAccount.automountServiceAccountToken.enabledπŸ“œ

Type: bool

Default value
false

cleanupController.rbac.deployment.automountServiceAccountToken.enabledπŸ“œ

Type: bool

Default value
true

cleanupController.rbac.clusterRole.extraResourcesπŸ“œ

Type: list

Default value
[]

Description: Extra resource permissions to add in the cluster role

cleanupController.createSelfSignedCertπŸ“œ

Type: bool

Default value
false

Description: Create self-signed certificates at deployment time. The certificates won’t be automatically renewed if this is set to true.

cleanupController.image.registryπŸ“œ

Type: string

Default value
"registry1.dso.mil"

Description: Image registry

cleanupController.image.repositoryπŸ“œ

Type: string

Default value
"ironbank/opensource/kyverno/kyverno/cleanup-controller"

Description: Image repository

cleanupController.image.tagπŸ“œ

Type: string

Default value
"v1.11.4"

Description: Image tag Defaults to appVersion in Chart.yaml if omitted

cleanupController.image.pullPolicyπŸ“œ

Type: string

Default value
"IfNotPresent"

Description: Image pull policy

cleanupController.imagePullSecretsπŸ“œ

Type: list

Default value
- name: private-registry

Description: Image pull secrets

cleanupController.replicasπŸ“œ

Type: int

Default value
nil

Description: Desired number of pods

cleanupController.podLabelsπŸ“œ

Type: object

Default value
{}

Description: Additional labels to add to each pod

cleanupController.podAnnotationsπŸ“œ

Type: object

Default value
{}

Description: Additional annotations to add to each pod

cleanupController.priorityClassNameπŸ“œ

Type: string

Default value
""

Description: Optional priority class

cleanupController.hostNetworkπŸ“œ

Type: bool

Default value
false

Description: Change hostNetwork to true when you want the pod to share its host’s network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the dnsPolicy accordingly as well to suit the host network mode.

cleanupController.dnsPolicyπŸ“œ

Type: string

Default value
"ClusterFirst"

Description: dnsPolicy determines the manner in which DNS resolution happens in the cluster. In case of hostNetwork: true, usually, the dnsPolicy is suitable to be ClusterFirstWithHostNet. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.

cleanupController.extraArgsπŸ“œ

Type: object

Default value
{}

Description: Extra arguments passed to the container on the command line

cleanupController.extraEnvVarsπŸ“œ

Type: list

Default value
[]

Description: Additional container environment variables.

cleanupController.resources.limitsπŸ“œ

Type: object

Default value
memory: 128Mi

Description: Pod resource limits

cleanupController.resources.requestsπŸ“œ

Type: object

Default value
cpu: 100m
memory: 64Mi

Description: Pod resource requests

cleanupController.nodeSelectorπŸ“œ

Type: object

Default value
{}

Description: Node labels for pod assignment

cleanupController.tolerationsπŸ“œ

Type: list

Default value
[]

Description: List of node taints to tolerate

cleanupController.antiAffinity.enabledπŸ“œ

Type: bool

Default value
true

Description: Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node.

cleanupController.podAffinityπŸ“œ

Type: object

Default value
{}

Description: Pod affinity constraints.

cleanupController.nodeAffinityπŸ“œ

Type: object

Default value
{}

Description: Node affinity constraints.

cleanupController.topologySpreadConstraintsπŸ“œ

Type: list

Default value
[]

Description: Topology spread constraints.

cleanupController.podSecurityContextπŸ“œ

Type: object

Default value
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000

Description: Security context for the pod

cleanupController.securityContextπŸ“œ

Type: object

Default value
allowPrivilegeEscalation: false
capabilities:
  drop:
  - ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
  type: RuntimeDefault

Description: Security context for the containers

cleanupController.podDisruptionBudget.enabledπŸ“œ

Type: bool

Default value
false

Description: Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.

cleanupController.podDisruptionBudget.minAvailableπŸ“œ

Type: int

Default value
1

Description: Configures the minimum available pods for disruptions. Cannot be used if maxUnavailable is set.

cleanupController.podDisruptionBudget.maxUnavailableπŸ“œ

Type: string

Default value
nil

Description: Configures the maximum unavailable pods for disruptions. Cannot be used if minAvailable is set.

cleanupController.service.portπŸ“œ

Type: int

Default value
443

Description: Service port.

cleanupController.service.typeπŸ“œ

Type: string

Default value
"ClusterIP"

Description: Service type.

cleanupController.service.nodePortπŸ“œ

Type: string

Default value
nil

Description: Service node port. Only used if service.type is NodePort.

cleanupController.service.annotationsπŸ“œ

Type: object

Default value
{}

Description: Service annotations.

cleanupController.metricsService.createπŸ“œ

Type: bool

Default value
true

Description: Create service.

cleanupController.metricsService.portπŸ“œ

Type: int

Default value
8000

Description: Service port. Metrics server will be exposed at this port.

cleanupController.metricsService.typeπŸ“œ

Type: string

Default value
"ClusterIP"

Description: Service type.

cleanupController.metricsService.nodePortπŸ“œ

Type: string

Default value
nil

Description: Service node port. Only used if metricsService.type is NodePort.

cleanupController.metricsService.annotationsπŸ“œ

Type: object

Default value
{}

Description: Service annotations.

cleanupController.networkPolicy.enabledπŸ“œ

Type: bool

Default value
false

Description: When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.

cleanupController.networkPolicy.ingressFromπŸ“œ

Type: list

Default value
[]

Description: A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.

cleanupController.serviceMonitor.enabledπŸ“œ

Type: bool

Default value
false

Description: Create a ServiceMonitor to collect Prometheus metrics.

cleanupController.serviceMonitor.additionalLabelsπŸ“œ

Type: object

Default value
{}

Description: Additional labels

cleanupController.serviceMonitor.namespaceπŸ“œ

Type: string

Default value
nil

Description: Override namespace

cleanupController.serviceMonitor.intervalπŸ“œ

Type: string

Default value
"30s"

Description: Interval to scrape metrics

cleanupController.serviceMonitor.scrapeTimeoutπŸ“œ

Type: string

Default value
"25s"

Description: Timeout if metrics can’t be retrieved in given time interval

cleanupController.serviceMonitor.secureπŸ“œ

Type: bool

Default value
false

Description: Is TLS required for endpoint

cleanupController.serviceMonitor.tlsConfigπŸ“œ

Type: object

Default value
{}

Description: TLS Configuration for endpoint

cleanupController.serviceMonitor.relabelingsπŸ“œ

Type: list

Default value
[]

Description: RelabelConfigs to apply to samples before scraping

cleanupController.serviceMonitor.metricRelabelingsπŸ“œ

Type: list

Default value
[]

Description: MetricRelabelConfigs to apply to samples before ingestion.

cleanupController.tracing.enabledπŸ“œ

Type: bool

Default value
false

Description: Enable tracing

cleanupController.tracing.addressπŸ“œ

Type: string

Default value
nil

Description: Traces receiver address

cleanupController.tracing.portπŸ“œ

Type: string

Default value
nil

Description: Traces receiver port

cleanupController.tracing.credsπŸ“œ

Type: string

Default value
""

Description: Traces receiver credentials

cleanupController.metering.disabledπŸ“œ

Type: bool

Default value
false

Description: Disable metrics export

cleanupController.metering.configπŸ“œ

Type: string

Default value
"prometheus"

Description: Otel configuration, can be prometheus or grpc

cleanupController.metering.portπŸ“œ

Type: int

Default value
8000

Description: Prometheus endpoint port

cleanupController.metering.collectorπŸ“œ

Type: string

Default value
""

Description: Otel collector endpoint

cleanupController.metering.credsπŸ“œ

Type: string

Default value
""

Description: Otel collector credentials

reportsController.featuresOverrideπŸ“œ

Type: object

Default value
{}

Description: Overrides features defined at the root level

reportsController.enabledπŸ“œ

Type: bool

Default value
true

Description: Enable reports controller.

reportsController.rbac.createπŸ“œ

Type: bool

Default value
true

Description: Create RBAC resources

reportsController.rbac.serviceAccount.nameπŸ“œ

Type: string

Default value
nil

Description: Service account name

reportsController.rbac.serviceAccount.annotationsπŸ“œ

Type: object

Default value
{}

Description: Annotations for the ServiceAccount

reportsController.rbac.serviceAccount.automountServiceAccountToken.enabledπŸ“œ

Type: bool

Default value
false

reportsController.rbac.deployment.automountServiceAccountToken.enabledπŸ“œ

Type: bool

Default value
true

reportsController.rbac.clusterRole.extraResourcesπŸ“œ

Type: list

Default value
[]

Description: Extra resource permissions to add in the cluster role

reportsController.image.registryπŸ“œ

Type: string

Default value
"registry1.dso.mil"

Description: Image registry

reportsController.image.repositoryπŸ“œ

Type: string

Default value
"ironbank/opensource/kyverno/kyverno/reports-controller"

Description: Image repository

reportsController.image.tagπŸ“œ

Type: string

Default value
"v1.11.4"

Description: Image tag Defaults to appVersion in Chart.yaml if omitted

reportsController.image.pullPolicyπŸ“œ

Type: string

Default value
"IfNotPresent"

Description: Image pull policy

reportsController.imagePullSecretsπŸ“œ

Type: list

Default value
- name: private-registry

Description: Image pull secrets

reportsController.replicasπŸ“œ

Type: int

Default value
nil

Description: Desired number of pods

reportsController.podLabelsπŸ“œ

Type: object

Default value
{}

Description: Additional labels to add to each pod

reportsController.podAnnotationsπŸ“œ

Type: object

Default value
{}

Description: Additional annotations to add to each pod

reportsController.priorityClassNameπŸ“œ

Type: string

Default value
""

Description: Optional priority class

reportsController.apiPriorityAndFairnessπŸ“œ

Type: bool

Default value
false

Description: Change apiPriorityAndFairness to true if you want to insulate the API calls made by Kyverno reports controller activities. This will help ensure Kyverno reports stability in busy clusters. Ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/

reportsController.hostNetworkπŸ“œ

Type: bool

Default value
false

Description: Change hostNetwork to true when you want the pod to share its host’s network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the dnsPolicy accordingly as well to suit the host network mode.

reportsController.dnsPolicyπŸ“œ

Type: string

Default value
"ClusterFirst"

Description: dnsPolicy determines the manner in which DNS resolution happens in the cluster. In case of hostNetwork: true, usually, the dnsPolicy is suitable to be ClusterFirstWithHostNet. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.

reportsController.extraArgsπŸ“œ

Type: object

Default value
{}

Description: Extra arguments passed to the container on the command line

reportsController.extraEnvVarsπŸ“œ

Type: list

Default value
[]

Description: Additional container environment variables.

reportsController.resources.limitsπŸ“œ

Type: object

Default value
memory: 128Mi

Description: Pod resource limits

reportsController.resources.requestsπŸ“œ

Type: object

Default value
cpu: 100m
memory: 64Mi

Description: Pod resource requests

reportsController.nodeSelectorπŸ“œ

Type: object

Default value
{}

Description: Node labels for pod assignment

reportsController.tolerationsπŸ“œ

Type: list

Default value
[]

Description: List of node taints to tolerate

reportsController.antiAffinity.enabledπŸ“œ

Type: bool

Default value
true

Description: Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node.

reportsController.podAffinityπŸ“œ

Type: object

Default value
{}

Description: Pod affinity constraints.

reportsController.nodeAffinityπŸ“œ

Type: object

Default value
{}

Description: Node affinity constraints.

reportsController.topologySpreadConstraintsπŸ“œ

Type: list

Default value
[]

Description: Topology spread constraints.

reportsController.podSecurityContextπŸ“œ

Type: object

Default value
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000

Description: Security context for the pod

reportsController.securityContextπŸ“œ

Type: object

Default value
allowPrivilegeEscalation: false
capabilities:
  drop:
  - ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
  type: RuntimeDefault

Description: Security context for the containers

reportsController.podDisruptionBudget.enabledπŸ“œ

Type: bool

Default value
false

Description: Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.

reportsController.podDisruptionBudget.minAvailableπŸ“œ

Type: int

Default value
1

Description: Configures the minimum available pods for disruptions. Cannot be used if maxUnavailable is set.

reportsController.podDisruptionBudget.maxUnavailableπŸ“œ

Type: string

Default value
nil

Description: Configures the maximum unavailable pods for disruptions. Cannot be used if minAvailable is set.

reportsController.tufRootMountPathπŸ“œ

Type: string

Default value
"/.sigstore"

Description: A writable volume to use for the TUF root initialization.

reportsController.sigstoreVolumeπŸ“œ

Type: object

Default value
emptyDir: {}

Description: Volume to be mounted in pods for TUF/cosign work.

reportsController.metricsService.createπŸ“œ

Type: bool

Default value
true

Description: Create service.

reportsController.metricsService.portπŸ“œ

Type: int

Default value
8000

Description: Service port. Metrics server will be exposed at this port.

reportsController.metricsService.typeπŸ“œ

Type: string

Default value
"ClusterIP"

Description: Service type.

reportsController.metricsService.nodePortπŸ“œ

Type: string

Default value
nil

Description: Service node port. Only used if type is NodePort.

reportsController.metricsService.annotationsπŸ“œ

Type: object

Default value
{}

Description: Service annotations.

reportsController.networkPolicy.enabledπŸ“œ

Type: bool

Default value
false

Description: When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.

reportsController.networkPolicy.ingressFromπŸ“œ

Type: list

Default value
[]

Description: A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.

reportsController.serviceMonitor.enabledπŸ“œ

Type: bool

Default value
false

Description: Create a ServiceMonitor to collect Prometheus metrics.

reportsController.serviceMonitor.additionalLabelsπŸ“œ

Type: object

Default value
{}

Description: Additional labels

reportsController.serviceMonitor.namespaceπŸ“œ

Type: string

Default value
nil

Description: Override namespace

reportsController.serviceMonitor.intervalπŸ“œ

Type: string

Default value
"30s"

Description: Interval to scrape metrics

reportsController.serviceMonitor.scrapeTimeoutπŸ“œ

Type: string

Default value
"25s"

Description: Timeout if metrics can’t be retrieved in given time interval

reportsController.serviceMonitor.secureπŸ“œ

Type: bool

Default value
false

Description: Is TLS required for endpoint

reportsController.serviceMonitor.tlsConfigπŸ“œ

Type: object

Default value
{}

Description: TLS Configuration for endpoint

reportsController.serviceMonitor.relabelingsπŸ“œ

Type: list

Default value
[]

Description: RelabelConfigs to apply to samples before scraping

reportsController.serviceMonitor.metricRelabelingsπŸ“œ

Type: list

Default value
[]

Description: MetricRelabelConfigs to apply to samples before ingestion.

reportsController.tracing.enabledπŸ“œ

Type: bool

Default value
false

Description: Enable tracing

reportsController.tracing.addressπŸ“œ

Type: string

Default value
nil

Description: Traces receiver address

reportsController.tracing.portπŸ“œ

Type: string

Default value
nil

Description: Traces receiver port

reportsController.tracing.credsπŸ“œ

Type: string

Default value
nil

Description: Traces receiver credentials

reportsController.metering.disabledπŸ“œ

Type: bool

Default value
false

Description: Disable metrics export

reportsController.metering.configπŸ“œ

Type: string

Default value
"prometheus"

Description: Otel configuration, can be prometheus or grpc

reportsController.metering.portπŸ“œ

Type: int

Default value
8000

Description: Prometheus endpoint port

reportsController.metering.collectorπŸ“œ

Type: string

Default value
nil

Description: Otel collector endpoint

reportsController.metering.credsπŸ“œ

Type: string

Default value
nil

Description: Otel collector credentials

networkPolicies.enabledπŸ“œ

Type: bool

Default value
false

networkPolicies.controlPlaneCidrπŸ“œ

Type: string

Default value
"0.0.0.0/0"

networkPolicies.externalRegistries.allowEgressπŸ“œ

Type: bool

Default value
false

networkPolicies.externalRegistries.portsπŸ“œ

Type: list

Default value
[]

networkPolicies.allowExternalRegistryEgressπŸ“œ

Type: bool

Default value
false

networkPolicies.additionalPoliciesπŸ“œ

Type: list

Default value
[]

istio.enabledπŸ“œ

Type: bool

Default value
false

openshiftπŸ“œ

Type: bool

Default value
false

bbtests.enabledπŸ“œ

Type: bool

Default value
false

bbtests.scripts.imageπŸ“œ

Type: string

Default value
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.29.3"

bbtests.scripts.additionalVolumeMounts[0].nameπŸ“œ

Type: string

Default value
"kyverno-bbtest-manifest"

bbtests.scripts.additionalVolumeMounts[0].mountPathπŸ“œ

Type: string

Default value
"/yaml"

bbtests.scripts.additionalVolumes[0].nameπŸ“œ

Type: string

Default value
"kyverno-bbtest-manifest"

bbtests.scripts.additionalVolumes[0].configMap.nameπŸ“œ

Type: string

Default value
"kyverno-bbtest-manifest"