kyverno values.yaml
π
global.image.registryπ
Type: string
"registry1.dso.mil"
Description: Global value that allows to set a single image registry across all deployments. When set, it will override any values set under .image.registry
across the chart.
global.imagePullSecrets[0].nameπ
Type: string
"private-registry"
global.caCertificates.dataπ
Type: string
nil
Description: Global CA certificates to use with Kyverno deployments This value is expected to be one large string of CA certificates Individual controller values will override this global value
global.caCertificates.volumeπ
Type: object
{}
Description: Global value to set single volume to be mounted for CA certificates for all deployments. Not used when .Values.global.caCertificates.data
is defined Individual controller values will override this global value
global.extraEnvVarsπ
Type: list
[]
Description: Additional container environment variables to apply to all containers and init containers
global.nodeSelectorπ
Type: object
{}
Description: Global node labels for pod assignment. Non-global values will override the global value.
nameOverrideπ
Type: string
nil
Description: Override the name of the chart
fullnameOverrideπ
Type: string
nil
Description: Override the expanded name of the chart
namespaceOverrideπ
Type: string
nil
Description: Override the namespace the chart deploys to
upgrade.fromV2π
Type: bool
true
Description: Upgrading from v2 to v3 is not allowed by default, set this to true once changes have been reviewed.
apiVersionOverride.podDisruptionBudgetπ
Type: string
"policy/v1"
Description: Override api version used to create PodDisruptionBudget`` resources. When not specified the chart will check if
policy/v1/PodDisruptionBudget` is available to determine the api version automatically.
crds.installπ
Type: bool
true
Description: Whether to have Helm install the Kyverno CRDs, if the CRDs are not installed by Helm, they must be added before policies can be created
crds.groups.kyvernoπ
Type: object
admissionreports: true
backgroundscanreports: true
cleanuppolicies: true
clusteradmissionreports: true
clusterbackgroundscanreports: true
clustercleanuppolicies: true
clusterpolicies: true
globalcontextentries: true
policies: true
policyexceptions: true
updaterequests: true
Description: Install CRDs in group kyverno.io
crds.groups.reportsπ
Type: object
clusterephemeralreports: true
ephemeralreports: true
Description: Install CRDs in group reports.kyverno.io
crds.groups.wgpolicyk8sπ
Type: object
clusterpolicyreports: true
policyreports: true
Description: Install CRDs in group wgpolicyk8s.io
crds.annotationsπ
Type: object
{}
Description: Additional CRDs annotations
crds.customLabelsπ
Type: object
{}
Description: Additional CRDs labels
crds.migration.enabledπ
Type: bool
true
Description: Enable CRDs migration using helm post upgrade hook
crds.migration.resourcesπ
Type: list
- admissionreports.kyverno.io
- backgroundscanreports.kyverno.io
- cleanuppolicies.kyverno.io
- clusteradmissionreports.kyverno.io
- clusterbackgroundscanreports.kyverno.io
- clustercleanuppolicies.kyverno.io
- clusterpolicies.kyverno.io
- globalcontextentries.kyverno.io
- policies.kyverno.io
- policyexceptions.kyverno.io
- updaterequests.kyverno.io
Description: Resources to migrate
crds.migration.image.registryπ
Type: string
"registry1.dso.mil"
Description: Image registry
crds.migration.image.repositoryπ
Type: string
"ironbank/opensource/kyverno/kyvernocli"
Description: Image repository
crds.migration.image.tagπ
Type: string
"v1.12.6"
Description: Image tag Defaults to appVersion in Chart.yaml if omitted
crds.migration.image.pullPolicyπ
Type: string
nil
Description: Image pull policy
crds.migration.imagePullSecrets[0].nameπ
Type: string
"private-registry"
crds.podSecurityContextπ
Type: object
nodeAffinity: {}
nodeSelector: {}
podAffinity: {}
podAnnotations: {}
podAntiAffinity: {}
podLabels: {}
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 65534
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault
tolerations: []
Description: Security context for the pod
crds.podSecurityContext.nodeSelectorπ
Type: object
{}
Description: Node labels for pod assignment
crds.podSecurityContext.tolerationsπ
Type: list
[]
Description: List of node taints to tolerate
crds.podSecurityContext.podAntiAffinityπ
Type: object
{}
Description: Pod anti affinity constraints.
crds.podSecurityContext.podAffinityπ
Type: object
{}
Description: Pod affinity constraints.
crds.podSecurityContext.podLabelsπ
Type: object
{}
Description: Pod labels.
crds.podSecurityContext.podAnnotationsπ
Type: object
{}
Description: Pod annotations.
crds.podSecurityContext.nodeAffinityπ
Type: object
{}
Description: Node affinity constraints.
crds.podSecurityContext.securityContextπ
Type: object
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 65534
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault
Description: Security context for the hook containers
config.createπ
Type: bool
true
Description: Create the configmap.
config.preserveπ
Type: bool
true
Description: Preserve the configmap settings during upgrade.
config.nameπ
Type: string
nil
Description: The configmap name (required if create
is false
).
config.annotationsπ
Type: object
{}
Description: Additional annotations to add to the configmap.
config.enableDefaultRegistryMutationπ
Type: bool
true
Description: Enable registry mutation for container images. Enabled by default.
config.defaultRegistryπ
Type: string
"registry1.dso.mil"
Description: The registry hostname used for the image mutation.
config.excludeGroupsπ
Type: list
- system:nodes
Description: Exclude groups
config.excludeUsernamesπ
Type: list
[]
Description: Exclude usernames
config.excludeRolesπ
Type: list
[]
Description: Exclude roles
config.excludeClusterRolesπ
Type: list
[]
Description: Exclude roles
config.generateSuccessEventsπ
Type: bool
false
Description: Generate success events.
config.webhooksπ
Type: list
- namespaceSelector:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: NotIn
values:
- kube-system
Description: Defines the namespaceSelector
in the webhook configurations. Note that it takes a list of namespaceSelector
and/or objectSelector
in the JSON format, and only the first element will be forwarded to the webhook configurations. The Kyverno namespace is excluded if excludeKyvernoNamespace
is true
(default)
config.webhookAnnotationsπ
Type: object
admissions.enforcer/disabled: 'true'
Description: Defines annotations to set on webhook configurations.
config.webhookLabelsπ
Type: object
{}
Description: Defines labels to set on webhook configurations.
config.matchConditionsπ
Type: list
[]
Description: Defines match conditions to set on webhook configurations (requires Kubernetes 1.27+).
config.excludeKyvernoNamespaceπ
Type: bool
true
Description: Exclude Kyverno namespace Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters
config.resourceFiltersExcludeNamespacesπ
Type: list
[]
Description: resourceFilter namespace exclude Namespaces to exclude from the default resourceFilters
config.resourceFiltersExcludeπ
Type: list
[]
Description: resourceFilters exclude list Items to exclude from config.resourceFilters
config.resourceFiltersIncludeNamespacesπ
Type: list
[]
Description: resourceFilter namespace include Namespaces to include to the default resourceFilters
config.resourceFiltersIncludeπ
Type: list
[]
Description: resourceFilters include list Items to include to config.resourceFilters
metricsConfig.createπ
Type: bool
true
Description: Create the configmap.
metricsConfig.nameπ
Type: string
nil
Description: The configmap name (required if create
is false
).
metricsConfig.annotationsπ
Type: object
{}
Description: Additional annotations to add to the configmap.
metricsConfig.namespaces.includeπ
Type: list
[]
Description: List of namespaces to capture metrics for.
metricsConfig.namespaces.excludeπ
Type: list
[]
Description: list of namespaces to NOT capture metrics for.
metricsConfig.metricsRefreshIntervalπ
Type: string
nil
Description: Rate at which metrics should reset so as to clean up the memory footprint of kyverno metrics, if you might be expecting high memory footprint of Kyvernoβs metrics. Default: 0, no refresh of metrics. WARNING: This flag is not working since Kyverno 1.8.0
metricsConfig.bucketBoundariesπ
Type: list
- 0.005
- 0.01
- 0.025
- 0.05
- 0.1
- 0.25
- 0.5
- 1
- 2.5
- 5
- 10
- 15
- 20
- 25
- 30
Description: Configures the bucket boundaries for all Histogram metrics, changing this configuration requires restart of the kyverno admission controller
metricsConfig.metricsExposureπ
Type: map
nil
Description: Configures the exposure of individual metrics, by default all metrics and all labels are exported, changing this configuration requires restart of the kyverno admission controller
imagePullSecretsπ
Type: object
{}
Description: Image pull secrets for image verification policies, this will define the --imagePullSecrets
argument
existingImagePullSecretsπ
Type: list
- private-registry
Description: Existing Image pull secrets for image verification policies, this will define the --imagePullSecrets
argument
test.image.registryπ
Type: string
"registry1.dso.mil"
Description: Image registry
test.image.repositoryπ
Type: string
"ironbank/redhat/ubi/ubi9-minimal"
Description: Image repository
test.image.tagπ
Type: string
"9.4"
Description: Image tag Defaults to latest
if omitted
test.image.pullPolicyπ
Type: string
nil
Description: Image pull policy Defaults to image.pullPolicy if omitted
test.imagePullSecretsπ
Type: list
- name: private-registry
Description: Image pull secrets
test.resources.limitsπ
Type: object
cpu: 100m
memory: 256Mi
Description: Pod resource limits
test.resources.requestsπ
Type: object
cpu: 10m
memory: 64Mi
Description: Pod resource requests
test.podSecurityContextπ
Type: object
runAsGroup: 65534
runAsNonRoot: true
runAsUser: 65534
Description: Security context for the test pod
test.securityContextπ
Type: object
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 65534
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault
Description: Security context for the test containers
customLabelsπ
Type: object
{}
Description: Additional labels
webhooksCleanup.enabledπ
Type: bool
true
Description: Create a helm pre-delete hook to cleanup webhooks.
webhooksCleanup.image.registryπ
Type: string
"registry1.dso.mil"
Description: Image registry
webhooksCleanup.image.repositoryπ
Type: string
"ironbank/opensource/kubernetes/kubectl"
Description: Image repository
webhooksCleanup.image.tagπ
Type: string
"v1.30.5"
Description: Image tag Defaults to latest
if omitted
webhooksCleanup.image.pullPolicyπ
Type: string
nil
Description: Image pull policy Defaults to image.pullPolicy if omitted
webhooksCleanup.imagePullSecretsπ
Type: list
- name: private-registry
Description: Image pull secrets
webhooksCleanup.automountServiceAccountToken.enabledπ
Type: bool
true
webhooksCleanup.podSecurityContextπ
Type: object
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001
Description: Security context for the pod
webhooksCleanup.nodeSelectorπ
Type: object
{}
Description: Node labels for pod assignment
webhooksCleanup.tolerationsπ
Type: list
[]
Description: List of node taints to tolerate
webhooksCleanup.podAntiAffinityπ
Type: object
{}
Description: Pod anti affinity constraints.
webhooksCleanup.podAffinityπ
Type: object
{}
Description: Pod affinity constraints.
webhooksCleanup.podLabelsπ
Type: object
{}
Description: Pod labels.
webhooksCleanup.podAnnotationsπ
Type: object
{}
Description: Pod annotations.
webhooksCleanup.nodeAffinityπ
Type: object
{}
Description: Node affinity constraints.
webhooksCleanup.securityContextπ
Type: object
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001
seccompProfile:
type: RuntimeDefault
Description: Security context for the hook containers
webhooksCleanup.resourcesπ
Type: object
limits:
cpu: '0.5'
memory: 256Mi
requests:
cpu: '0.5'
memory: 256Mi
Description: Resource limits for the containers
policyReportsCleanup.enabledπ
Type: bool
false
Description: Create a helm post-upgrade hook to cleanup the old policy reports.
policyReportsCleanup.automountServiceAccountToken.enabledπ
Type: bool
true
policyReportsCleanup.image.registryπ
Type: string
"registry1.dso.mil"
Description: Image registry
policyReportsCleanup.image.repositoryπ
Type: string
"ironbank/opensource/kubernetes/kubectl"
Description: Image repository
policyReportsCleanup.image.tagπ
Type: string
"v1.30.5"
Description: Image tag Defaults to latest
if omitted
policyReportsCleanup.image.pullPolicyπ
Type: string
nil
Description: Image pull policy Defaults to image.pullPolicy if omitted
policyReportsCleanup.imagePullSecretsπ
Type: list
- name: private-registry
Description: Image pull secrets
policyReportsCleanup.podSecurityContextπ
Type: object
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001
Description: Security context for the pod
policyReportsCleanup.nodeSelectorπ
Type: object
{}
Description: Node labels for pod assignment
policyReportsCleanup.tolerationsπ
Type: list
[]
Description: List of node taints to tolerate
policyReportsCleanup.podAntiAffinityπ
Type: object
{}
Description: Pod anti affinity constraints.
policyReportsCleanup.podAffinityπ
Type: object
{}
Description: Pod affinity constraints.
policyReportsCleanup.podLabelsπ
Type: object
{}
Description: Pod labels.
policyReportsCleanup.podAnnotationsπ
Type: object
{}
Description: Pod annotations.
policyReportsCleanup.nodeAffinityπ
Type: object
{}
Description: Node affinity constraints.
policyReportsCleanup.securityContextπ
Type: object
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001
seccompProfile:
type: RuntimeDefault
Description: Security context for the hook containers
policyReportsCleanup.resourcesπ
Type: object
limits:
cpu: '1'
memory: 512Mi
requests:
cpu: '0.5'
memory: 256Mi
Description: Resource limits for the containers
grafana.enabledπ
Type: bool
false
Description: Enable grafana dashboard creation.
grafana.configMapNameπ
Type: string
"{{ include \"kyverno.fullname\" . }}-grafana"
Description: Configmap name template.
grafana.namespaceπ
Type: string
nil
Description: Namespace to create the grafana dashboard configmap. If not set, it will be created in the same namespace where the chart is deployed.
grafana.annotationsπ
Type: object
{}
Description: Grafana dashboard configmap annotations.
grafana.labelsπ
Type: object
grafana_dashboard: '1'
Description: Grafana dashboard configmap labels
grafana.grafanaDashboardπ
Type: object
create: false
matchLabels:
dashboards: grafana
Description: create GrafanaDashboard custom resource referencing to the configMap. according to https://grafana-operator.github.io/grafana-operator/docs/examples/dashboard_from_configmap/readme/
features.admissionReports.enabledπ
Type: bool
true
Description: Enables the feature
features.aggregateReports.enabledπ
Type: bool
true
Description: Enables the feature
features.policyReports.enabledπ
Type: bool
true
Description: Enables the feature
features.validatingAdmissionPolicyReports.enabledπ
Type: bool
false
Description: Enables the feature
features.autoUpdateWebhooks.enabledπ
Type: bool
true
Description: Enables the feature
features.backgroundScan.enabledπ
Type: bool
true
Description: Enables the feature
features.backgroundScan.backgroundScanWorkersπ
Type: int
2
Description: Number of background scan workers
features.backgroundScan.backgroundScanIntervalπ
Type: string
"1h"
Description: Background scan interval
features.backgroundScan.skipResourceFiltersπ
Type: bool
true
Description: Skips resource filters in background scan
features.configMapCaching.enabledπ
Type: bool
true
Description: Enables the feature
features.deferredLoading.enabledπ
Type: bool
true
Description: Enables the feature
features.dumpPayload.enabledπ
Type: bool
false
Description: Enables the feature
features.forceFailurePolicyIgnore.enabledπ
Type: bool
false
Description: Enables the feature
features.generateValidatingAdmissionPolicy.enabledπ
Type: bool
false
Description: Enables the feature
features.globalContext.maxApiCallResponseLengthπ
Type: int
2000000
Description: Maximum allowed response size from API Calls. A value of 0 bypasses checks (not recommended)
features.logging.formatπ
Type: string
"text"
Description: Logging format
features.logging.verbosityπ
Type: int
2
Description: Logging verbosity
features.omitEvents.eventTypesπ
Type: list
- PolicyApplied
- PolicySkipped
Description: Events which should not be emitted (possible values PolicyViolation
, PolicyApplied
, PolicyError
, and PolicySkipped
)
features.policyExceptions.enabledπ
Type: bool
true
Description: Enables the feature
features.policyExceptions.namespaceπ
Type: string
"kyverno"
Description: Restrict policy exceptions to a single namespace
features.protectManagedResources.enabledπ
Type: bool
false
Description: Enables the feature
features.registryClient.allowInsecureπ
Type: bool
false
Description: Allow insecure registry
features.registryClient.credentialHelpersπ
Type: list
- default
- google
- amazon
- azure
- github
Description: Enable registry client helpers
features.reports.chunkSizeπ
Type: int
0
Description: Reports chunk size
features.ttlController.reconciliationIntervalπ
Type: string
"1m"
Description: Reconciliation interval for the label based cleanup manager
features.tuf.enabledπ
Type: bool
false
Description: Enables the feature
features.tuf.rootπ
Type: string
nil
Description: Tuf root
features.tuf.mirrorπ
Type: string
nil
Description: Tuf mirror
cleanupJobs.rbac.serviceAccount.automountServiceAccountToken.enabledπ
Type: bool
false
cleanupJobs.admissionReports.enabledπ
Type: bool
true
Description: Enable cleanup cronjob
cleanupJobs.admissionReports.automountServiceAccountToken.enabledπ
Type: bool
true
cleanupJobs.admissionReports.backoffLimitπ
Type: int
3
Description: Maximum number of retries before considering a Job as failed. Defaults to 3.
cleanupJobs.admissionReports.image.registryπ
Type: string
"registry1.dso.mil"
Description: Image registry
cleanupJobs.admissionReports.image.repositoryπ
Type: string
"ironbank/opensource/kubernetes/kubectl"
Description: Image repository
cleanupJobs.admissionReports.image.tagπ
Type: string
"v1.30.5"
Description: Image tag Defaults to latest
if omitted
cleanupJobs.admissionReports.image.pullPolicyπ
Type: string
nil
Description: Image pull policy Defaults to image.pullPolicy if omitted
cleanupJobs.admissionReports.imagePullSecretsπ
Type: list
- name: private-registry
Description: Image pull secrets
cleanupJobs.admissionReports.scheduleπ
Type: string
"*/10 * * * *"
Description: Cronjob schedule
cleanupJobs.admissionReports.thresholdπ
Type: int
10000
Description: Reports threshold, if number of reports are above this value the cronjob will start deleting them
cleanupJobs.admissionReports.historyπ
Type: object
failure: 1
success: 1
Description: Cronjob history
cleanupJobs.admissionReports.podSecurityContextπ
Type: object
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
Description: Security context for the pod
cleanupJobs.admissionReports.securityContextπ
Type: object
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
Description: Security context for the containers
cleanupJobs.admissionReports.priorityClassNameπ
Type: string
""
Description: Pod PriorityClassName
cleanupJobs.admissionReports.resourcesπ
Type: object
{}
Description: Job resources
cleanupJobs.admissionReports.tolerationsπ
Type: list
[]
Description: List of node taints to tolerate
cleanupJobs.admissionReports.nodeSelectorπ
Type: object
{}
Description: Node labels for pod assignment
cleanupJobs.admissionReports.podAnnotationsπ
Type: object
{}
Description: Pod Annotations
cleanupJobs.admissionReports.podLabelsπ
Type: object
{}
Description: Pod labels
cleanupJobs.admissionReports.podAntiAffinityπ
Type: object
{}
Description: Pod anti affinity constraints.
cleanupJobs.admissionReports.podAffinityπ
Type: object
{}
Description: Pod affinity constraints.
cleanupJobs.admissionReports.nodeAffinityπ
Type: object
{}
Description: Node affinity constraints.
cleanupJobs.clusterAdmissionReports.enabledπ
Type: bool
true
Description: Enable cleanup cronjob
cleanupJobs.clusterAdmissionReports.automountServiceAccountToken.enabledπ
Type: bool
true
cleanupJobs.clusterAdmissionReports.backoffLimitπ
Type: int
3
Description: Maximum number of retries before considering a Job as failed. Defaults to 3.
cleanupJobs.clusterAdmissionReports.image.registryπ
Type: string
"registry1.dso.mil"
Description: Image registry
cleanupJobs.clusterAdmissionReports.image.repositoryπ
Type: string
"ironbank/opensource/kubernetes/kubectl"
Description: Image repository
cleanupJobs.clusterAdmissionReports.image.tagπ
Type: string
"v1.30.5"
Description: Image tag Defaults to latest
if omitted
cleanupJobs.clusterAdmissionReports.image.pullPolicyπ
Type: string
nil
Description: Image pull policy Defaults to image.pullPolicy if omitted
cleanupJobs.clusterAdmissionReports.imagePullSecretsπ
Type: list
- name: private-registry
Description: Image pull secrets
cleanupJobs.clusterAdmissionReports.scheduleπ
Type: string
"*/10 * * * *"
Description: Cronjob schedule
cleanupJobs.clusterAdmissionReports.thresholdπ
Type: int
10000
Description: Reports threshold, if number of reports are above this value the cronjob will start deleting them
cleanupJobs.clusterAdmissionReports.historyπ
Type: object
failure: 1
success: 1
Description: Cronjob history
cleanupJobs.clusterAdmissionReports.podSecurityContextπ
Type: object
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
Description: Security context for the pod
cleanupJobs.clusterAdmissionReports.securityContextπ
Type: object
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
Description: Security context for the containers
cleanupJobs.clusterAdmissionReports.priorityClassNameπ
Type: string
""
Description: Pod PriorityClassName
cleanupJobs.clusterAdmissionReports.resourcesπ
Type: object
{}
Description: Job resources
cleanupJobs.clusterAdmissionReports.tolerationsπ
Type: list
[]
Description: List of node taints to tolerate
cleanupJobs.clusterAdmissionReports.nodeSelectorπ
Type: object
{}
Description: Node labels for pod assignment
cleanupJobs.clusterAdmissionReports.podAnnotationsπ
Type: object
{}
Description: Pod Annotations
cleanupJobs.clusterAdmissionReports.podLabelsπ
Type: object
{}
Description: Pod Labels
cleanupJobs.clusterAdmissionReports.podAntiAffinityπ
Type: object
{}
Description: Pod anti affinity constraints.
cleanupJobs.clusterAdmissionReports.podAffinityπ
Type: object
{}
Description: Pod affinity constraints.
cleanupJobs.clusterAdmissionReports.nodeAffinityπ
Type: object
{}
Description: Node affinity constraints.
cleanupJobs.updateRequests.enabledπ
Type: bool
true
Description: Enable cleanup cronjob
cleanupJobs.updateRequests.automountServiceAccountToken.enabledπ
Type: bool
true
cleanupJobs.updateRequests.backoffLimitπ
Type: int
3
Description: Maximum number of retries before considering a Job as failed. Defaults to 3.
cleanupJobs.updateRequests.ttlSecondsAfterFinishedπ
Type: string
""
Description: Time until the pod from the cronjob is deleted
cleanupJobs.updateRequests.image.registryπ
Type: string
"registry1.dso.mil"
Description: Image registry
cleanupJobs.updateRequests.image.repositoryπ
Type: string
"ironbank/opensource/kubernetes/kubectl"
Description: Image repository
cleanupJobs.updateRequests.image.tagπ
Type: string
"v1.30.5"
Description: Image tag Defaults to latest
if omitted
cleanupJobs.updateRequests.image.pullPolicyπ
Type: string
nil
Description: Image pull policy Defaults to image.pullPolicy if omitted
cleanupJobs.updateRequests.imagePullSecretsπ
Type: list
- name: private-registry
Description: Image pull secrets
cleanupJobs.updateRequests.scheduleπ
Type: string
"*/10 * * * *"
Description: Cronjob schedule
cleanupJobs.updateRequests.thresholdπ
Type: int
10000
Description: Reports threshold, if number of updateRequests are above this value the cronjob will start deleting them
cleanupJobs.updateRequests.historyπ
Type: object
failure: 1
success: 1
Description: Cronjob history
cleanupJobs.updateRequests.podSecurityContextπ
Type: object
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
Description: Security context for the pod
cleanupJobs.updateRequests.securityContextπ
Type: object
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
Description: Security context for the containers
cleanupJobs.updateRequests.priorityClassNameπ
Type: string
""
Description: Pod PriorityClassName
cleanupJobs.updateRequests.resourcesπ
Type: object
{}
Description: Job resources
cleanupJobs.updateRequests.tolerationsπ
Type: list
[]
Description: List of node taints to tolerate
cleanupJobs.updateRequests.nodeSelectorπ
Type: object
{}
Description: Node labels for pod assignment
cleanupJobs.updateRequests.podAnnotationsπ
Type: object
{}
Description: Pod Annotations
cleanupJobs.updateRequests.podLabelsπ
Type: object
{}
Description: Pod labels
cleanupJobs.updateRequests.podAntiAffinityπ
Type: object
{}
Description: Pod anti affinity constraints.
cleanupJobs.updateRequests.podAffinityπ
Type: object
{}
Description: Pod affinity constraints.
cleanupJobs.updateRequests.nodeAffinityπ
Type: object
{}
Description: Node affinity constraints.
cleanupJobs.ephemeralReports.enabledπ
Type: bool
true
Description: Enable cleanup cronjob
cleanupJobs.ephemeralReports.automountServiceAccountToken.enabledπ
Type: bool
true
cleanupJobs.ephemeralReports.backoffLimitπ
Type: int
3
Description: Maximum number of retries before considering a Job as failed. Defaults to 3.
cleanupJobs.ephemeralReports.ttlSecondsAfterFinishedπ
Type: string
""
Description: Time until the pod from the cronjob is deleted
cleanupJobs.ephemeralReports.image.registryπ
Type: string
"registry1.dso.mil"
Description: Image registry
cleanupJobs.ephemeralReports.image.repositoryπ
Type: string
"ironbank/opensource/kubernetes/kubectl"
Description: Image repository
cleanupJobs.ephemeralReports.image.tagπ
Type: string
"v1.30.5"
Description: Image tag Defaults to latest
if omitted
cleanupJobs.ephemeralReports.image.pullPolicyπ
Type: string
nil
Description: Image pull policy Defaults to image.pullPolicy if omitted
cleanupJobs.ephemeralReports.imagePullSecretsπ
Type: list
- name: private-registry
Description: Image pull secrets
cleanupJobs.ephemeralReports.scheduleπ
Type: string
"*/10 * * * *"
Description: Cronjob schedule
cleanupJobs.ephemeralReports.thresholdπ
Type: int
10000
Description: Reports threshold, if number of updateRequests are above this value the cronjob will start deleting them
cleanupJobs.ephemeralReports.historyπ
Type: object
failure: 1
success: 1
Description: Cronjob history
cleanupJobs.ephemeralReports.podSecurityContextπ
Type: object
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001
Description: Security context for the pod
cleanupJobs.ephemeralReports.securityContextπ
Type: object
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
Description: Security context for the containers
cleanupJobs.ephemeralReports.priorityClassNameπ
Type: string
""
Description: Pod PriorityClassName
cleanupJobs.ephemeralReports.resourcesπ
Type: object
{}
Description: Job resources
cleanupJobs.ephemeralReports.tolerationsπ
Type: list
[]
Description: List of node taints to tolerate
cleanupJobs.ephemeralReports.nodeSelectorπ
Type: object
{}
Description: Node labels for pod assignment
cleanupJobs.ephemeralReports.podAnnotationsπ
Type: object
{}
Description: Pod Annotations
cleanupJobs.ephemeralReports.podLabelsπ
Type: object
{}
Description: Pod labels
cleanupJobs.ephemeralReports.podAntiAffinityπ
Type: object
{}
Description: Pod anti affinity constraints.
cleanupJobs.ephemeralReports.podAffinityπ
Type: object
{}
Description: Pod affinity constraints.
cleanupJobs.ephemeralReports.nodeAffinityπ
Type: object
{}
Description: Node affinity constraints.
cleanupJobs.clusterEphemeralReports.enabledπ
Type: bool
true
Description: Enable cleanup cronjob
cleanupJobs.clusterEphemeralReports.automountServiceAccountToken.enabledπ
Type: bool
true
cleanupJobs.clusterEphemeralReports.backoffLimitπ
Type: int
3
Description: Maximum number of retries before considering a Job as failed. Defaults to 3.
cleanupJobs.clusterEphemeralReports.ttlSecondsAfterFinishedπ
Type: string
""
Description: Time until the pod from the cronjob is deleted
cleanupJobs.clusterEphemeralReports.image.registryπ
Type: string
"registry1.dso.mil"
Description: Image registry
cleanupJobs.clusterEphemeralReports.image.repositoryπ
Type: string
"ironbank/opensource/kubernetes/kubectl"
Description: Image repository
cleanupJobs.clusterEphemeralReports.image.tagπ
Type: string
"v1.30.5"
Description: Image tag Defaults to latest
if omitted
cleanupJobs.clusterEphemeralReports.image.pullPolicyπ
Type: string
nil
Description: Image pull policy Defaults to image.pullPolicy if omitted
cleanupJobs.clusterEphemeralReports.imagePullSecretsπ
Type: list
- name: private-registry
Description: Image pull secrets
cleanupJobs.clusterEphemeralReports.scheduleπ
Type: string
"*/10 * * * *"
Description: Cronjob schedule
cleanupJobs.clusterEphemeralReports.thresholdπ
Type: int
10000
Description: Reports threshold, if number of reports are above this value the cronjob will start deleting them
cleanupJobs.clusterEphemeralReports.historyπ
Type: object
failure: 1
success: 1
Description: Cronjob history
cleanupJobs.clusterEphemeralReports.podSecurityContextπ
Type: object
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001
Description: Security context for the pod
cleanupJobs.clusterEphemeralReports.securityContextπ
Type: object
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
Description: Security context for the containers
cleanupJobs.clusterEphemeralReports.priorityClassNameπ
Type: string
""
Description: Pod PriorityClassName
cleanupJobs.clusterEphemeralReports.resourcesπ
Type: object
{}
Description: Job resources
cleanupJobs.clusterEphemeralReports.tolerationsπ
Type: list
[]
Description: List of node taints to tolerate
cleanupJobs.clusterEphemeralReports.nodeSelectorπ
Type: object
{}
Description: Node labels for pod assignment
cleanupJobs.clusterEphemeralReports.podAnnotationsπ
Type: object
{}
Description: Pod Annotations
cleanupJobs.clusterEphemeralReports.podLabelsπ
Type: object
{}
Description: Pod Labels
cleanupJobs.clusterEphemeralReports.podAntiAffinityπ
Type: object
{}
Description: Pod anti affinity constraints.
cleanupJobs.clusterEphemeralReports.podAffinityπ
Type: object
{}
Description: Pod affinity constraints.
cleanupJobs.clusterEphemeralReports.nodeAffinityπ
Type: object
{}
Description: Node affinity constraints.
admissionController.featuresOverrideπ
Type: object
admissionReports:
backPressureThreshold: 1000
Description: Overrides features defined at the root level
admissionController.featuresOverride.admissionReports.backPressureThresholdπ
Type: int
1000
Description: Max number of admission reports allowed in flight until the admission controller stops creating new ones
admissionController.rbac.createπ
Type: bool
true
Description: Create RBAC resources
admissionController.rbac.serviceAccount.nameπ
Type: string
nil
Description: The ServiceAccount name
admissionController.rbac.serviceAccount.annotationsπ
Type: object
{}
Description: Annotations for the ServiceAccount
admissionController.rbac.serviceAccount.automountServiceAccountToken.enabledπ
Type: bool
false
admissionController.rbac.deployment.automountServiceAccountToken.enabledπ
Type: bool
true
admissionController.rbac.clusterRole.extraResourcesπ
Type: list
[]
Description: Extra resource permissions to add in the cluster role
admissionController.createSelfSignedCertπ
Type: bool
false
Description: Create self-signed certificates at deployment time. The certificates wonβt be automatically renewed if this is set to true
.
admissionController.replicasπ
Type: int
3
Description: Desired number of pods
admissionController.podLabelsπ
Type: object
{}
Description: Additional labels to add to each pod
admissionController.podAnnotationsπ
Type: object
{}
Description: Additional annotations to add to each pod
admissionController.priorityClassNameπ
Type: string
""
Description: Optional priority class
admissionController.apiPriorityAndFairnessπ
Type: bool
false
Description: Change apiPriorityAndFairness
to true
if you want to insulate the API calls made by Kyverno admission controller activities. This will help ensure Kyverno stability in busy clusters. Ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/
admissionController.hostNetworkπ
Type: bool
false
Description: Change hostNetwork
to true
when you want the pod to share its hostβs network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the dnsPolicy
accordingly as well to suit the host network mode.
admissionController.webhookServerπ
Type: object
port: 9443
Description: admissionController webhook server port in case you are using hostNetwork: true, you might want to change the port the webhookServer is listening to
admissionController.dnsPolicyπ
Type: string
"ClusterFirst"
Description: dnsPolicy
determines the manner in which DNS resolution happens in the cluster. In case of hostNetwork: true
, usually, the dnsPolicy
is suitable to be ClusterFirstWithHostNet
. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
admissionController.nodeSelectorπ
Type: object
{}
Description: Node labels for pod assignment
admissionController.tolerationsπ
Type: list
[]
Description: List of node taints to tolerate
admissionController.antiAffinity.enabledπ
Type: bool
true
Description: Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node.
admissionController.podAffinityπ
Type: object
{}
Description: Pod affinity constraints.
admissionController.nodeAffinityπ
Type: object
{}
Description: Node affinity constraints.
admissionController.topologySpreadConstraintsπ
Type: list
[]
Description: Topology spread constraints.
admissionController.podSecurityContextπ
Type: object
runAsGroup: 10001
runAsNonRoot: true
runAsUser: 10001
Description: Security context for the pod
admissionController.podDisruptionBudget.enabledπ
Type: bool
false
Description: Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.
admissionController.podDisruptionBudget.minAvailableπ
Type: int
1
Description: Configures the minimum available pods for disruptions. Cannot be used if maxUnavailable
is set.
admissionController.podDisruptionBudget.maxUnavailableπ
Type: string
nil
Description: Configures the maximum unavailable pods for disruptions. Cannot be used if minAvailable
is set.
admissionController.tufRootMountPathπ
Type: string
"/.sigstore"
Description: A writable volume to use for the TUF root initialization.
admissionController.sigstoreVolumeπ
Type: object
emptyDir: {}
Description: Volume to be mounted in pods for TUF/cosign work.
admissionController.caCertificates.dataπ
Type: string
nil
Description: CA certificates to use with Kyverno deployments This value is expected to be one large string of CA certificates
admissionController.caCertificates.volumeπ
Type: object
{}
Description: Volume to be mounted for CA certificates Not used when .Values.admissionController.caCertificates.data
is defined
admissionController.imagePullSecretsπ
Type: list
- name: private-registry
Description: Image pull secrets
admissionController.initContainer.image.registryπ
Type: string
"registry1.dso.mil"
Description: Image registry
admissionController.initContainer.image.repositoryπ
Type: string
"ironbank/opensource/kyverno/kyvernopre"
Description: Image repository
admissionController.initContainer.image.tagπ
Type: string
"v1.12.6"
Description: Image tag If missing, defaults to image.tag
admissionController.initContainer.image.pullPolicyπ
Type: string
nil
Description: Image pull policy If missing, defaults to image.pullPolicy
admissionController.initContainer.resources.limitsπ
Type: object
cpu: 100m
memory: 256Mi
Description: Pod resource limits
admissionController.initContainer.resources.requestsπ
Type: object
cpu: 10m
memory: 64Mi
Description: Pod resource requests
admissionController.initContainer.securityContextπ
Type: object
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 10001
runAsNonRoot: true
runAsUser: 10001
seccompProfile:
type: RuntimeDefault
Description: Container security context
admissionController.initContainer.extraArgsπ
Type: object
{}
Description: Additional container args.
admissionController.initContainer.extraEnvVarsπ
Type: list
[]
Description: Additional container environment variables.
admissionController.container.image.registryπ
Type: string
"registry1.dso.mil"
Description: Image registry
admissionController.container.image.repositoryπ
Type: string
"ironbank/opensource/kyverno"
Description: Image repository
admissionController.container.image.tagπ
Type: string
"v1.12.6"
Description: Image tag Defaults to appVersion in Chart.yaml if omitted
admissionController.container.image.pullPolicyπ
Type: string
"IfNotPresent"
Description: Image pull policy
admissionController.container.imagePullSecretsπ
Type: list
- name: private-registry
Description: Image pull secrets
admissionController.container.resources.limitsπ
Type: object
cpu: 500m
memory: 512Mi
Description: Pod resource limits
admissionController.container.resources.requestsπ
Type: object
cpu: 500m
memory: 512Mi
Description: Pod resource requests
admissionController.container.securityContextπ
Type: object
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 10001
runAsNonRoot: true
runAsUser: 10001
seccompProfile:
type: RuntimeDefault
Description: Container security context
admissionController.container.extraArgsπ
Type: object
{}
Description: Additional container args.
admissionController.container.extraEnvVarsπ
Type: list
[]
Description: Additional container environment variables.
admissionController.extraInitContainersπ
Type: list
[]
Description: Array of extra init containers
admissionController.extraContainersπ
Type: list
[]
Description: Array of extra containers to run alongside kyverno
admissionController.service.portπ
Type: int
443
Description: Service port.
admissionController.service.typeπ
Type: string
"ClusterIP"
Description: Service type.
admissionController.service.nodePortπ
Type: string
nil
Description: Service node port. Only used if type
is NodePort
.
admissionController.service.annotationsπ
Type: object
{}
Description: Service annotations.
admissionController.metricsService.createπ
Type: bool
true
Description: Create service.
admissionController.metricsService.portπ
Type: int
8000
Description: Service port. Kyvernoβs metrics server will be exposed at this port.
admissionController.metricsService.typeπ
Type: string
"ClusterIP"
Description: Service type.
admissionController.metricsService.nodePortπ
Type: string
nil
Description: Service node port. Only used if type
is NodePort
.
admissionController.metricsService.annotationsπ
Type: object
{}
Description: Service annotations.
admissionController.networkPolicy.enabledπ
Type: bool
false
Description: When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
admissionController.networkPolicy.ingressFromπ
Type: list
[]
Description: A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
admissionController.serviceMonitor.enabledπ
Type: bool
false
Description: Create a ServiceMonitor
to collect Prometheus metrics.
admissionController.serviceMonitor.additionalLabelsπ
Type: object
{}
Description: Additional labels
admissionController.serviceMonitor.namespaceπ
Type: string
nil
Description: Override namespace
admissionController.serviceMonitor.intervalπ
Type: string
"30s"
Description: Interval to scrape metrics
admissionController.serviceMonitor.scrapeTimeoutπ
Type: string
"25s"
Description: Timeout if metrics canβt be retrieved in given time interval
admissionController.serviceMonitor.secureπ
Type: bool
false
Description: Is TLS required for endpoint
admissionController.serviceMonitor.tlsConfigπ
Type: object
{}
Description: TLS Configuration for endpoint
admissionController.serviceMonitor.relabelingsπ
Type: list
[]
Description: RelabelConfigs to apply to samples before scraping
admissionController.serviceMonitor.metricRelabelingsπ
Type: list
[]
Description: MetricRelabelConfigs to apply to samples before ingestion.
admissionController.tracing.enabledπ
Type: bool
false
Description: Enable tracing
admissionController.tracing.addressπ
Type: string
nil
Description: Traces receiver address
admissionController.tracing.portπ
Type: string
nil
Description: Traces receiver port
admissionController.tracing.credsπ
Type: string
""
Description: Traces receiver credentials
admissionController.metering.disabledπ
Type: bool
false
Description: Disable metrics export
admissionController.metering.configπ
Type: string
"prometheus"
Description: Otel configuration, can be prometheus
or grpc
admissionController.metering.portπ
Type: int
8000
Description: Prometheus endpoint port
admissionController.metering.collectorπ
Type: string
""
Description: Otel collector endpoint
admissionController.metering.credsπ
Type: string
""
Description: Otel collector credentials
admissionController.profiling.enabledπ
Type: bool
false
Description: Enable profiling
admissionController.profiling.portπ
Type: int
6060
Description: Profiling endpoint port
admissionController.profiling.serviceTypeπ
Type: string
"ClusterIP"
Description: Service type.
admissionController.profiling.nodePortπ
Type: string
nil
Description: Service node port. Only used if type
is NodePort
.
backgroundController.featuresOverrideπ
Type: object
{}
Description: Overrides features defined at the root level
backgroundController.enabledπ
Type: bool
true
Description: Enable background controller.
backgroundController.rbac.createπ
Type: bool
true
Description: Create RBAC resources
backgroundController.rbac.serviceAccount.nameπ
Type: string
nil
Description: Service account name
backgroundController.rbac.serviceAccount.annotationsπ
Type: object
{}
Description: Annotations for the ServiceAccount
backgroundController.rbac.serviceAccount.automountServiceAccountToken.enabledπ
Type: bool
false
backgroundController.rbac.deployment.automountServiceAccountToken.enabledπ
Type: bool
true
backgroundController.rbac.clusterRole.extraResourcesπ
Type: list
[]
Description: Extra resource permissions to add in the cluster role
backgroundController.image.registryπ
Type: string
"registry1.dso.mil"
Description: Image registry
backgroundController.image.repositoryπ
Type: string
"ironbank/opensource/kyverno/kyverno/background-controller"
Description: Image repository
backgroundController.image.tagπ
Type: string
"v1.12.6"
Description: Image tag Defaults to appVersion in Chart.yaml if omitted
backgroundController.image.pullPolicyπ
Type: string
"IfNotPresent"
Description: Image pull policy
backgroundController.imagePullSecretsπ
Type: list
- name: private-registry
Description: Image pull secrets
backgroundController.replicasπ
Type: int
nil
Description: Desired number of pods
backgroundController.revisionHistoryLimitπ
Type: int
10
Description: The number of revisions to keep
backgroundController.podLabelsπ
Type: object
{}
Description: Additional labels to add to each pod
backgroundController.podAnnotationsπ
Type: object
{}
Description: Additional annotations to add to each pod
backgroundController.priorityClassNameπ
Type: string
""
Description: Optional priority class
backgroundController.hostNetworkπ
Type: bool
false
Description: Change hostNetwork
to true
when you want the pod to share its hostβs network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the dnsPolicy
accordingly as well to suit the host network mode.
backgroundController.dnsPolicyπ
Type: string
"ClusterFirst"
Description: dnsPolicy
determines the manner in which DNS resolution happens in the cluster. In case of hostNetwork: true
, usually, the dnsPolicy
is suitable to be ClusterFirstWithHostNet
. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
backgroundController.extraArgsπ
Type: object
{}
Description: Extra arguments passed to the container on the command line
backgroundController.extraEnvVarsπ
Type: list
[]
Description: Additional container environment variables.
backgroundController.resources.limitsπ
Type: object
memory: 128Mi
Description: Pod resource limits
backgroundController.resources.requestsπ
Type: object
cpu: 100m
memory: 64Mi
Description: Pod resource requests
backgroundController.nodeSelectorπ
Type: object
{}
Description: Node labels for pod assignment
backgroundController.tolerationsπ
Type: list
[]
Description: List of node taints to tolerate
backgroundController.antiAffinity.enabledπ
Type: bool
true
Description: Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node.
backgroundController.podAffinityπ
Type: object
{}
Description: Pod affinity constraints.
backgroundController.nodeAffinityπ
Type: object
{}
Description: Node affinity constraints.
backgroundController.topologySpreadConstraintsπ
Type: list
[]
Description: Topology spread constraints.
backgroundController.podSecurityContextπ
Type: object
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
Description: Security context for the pod
backgroundController.securityContextπ
Type: object
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
Description: Security context for the containers
backgroundController.podDisruptionBudget.enabledπ
Type: bool
false
Description: Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.
backgroundController.podDisruptionBudget.minAvailableπ
Type: int
1
Description: Configures the minimum available pods for disruptions. Cannot be used if maxUnavailable
is set.
backgroundController.podDisruptionBudget.maxUnavailableπ
Type: string
nil
Description: Configures the maximum unavailable pods for disruptions. Cannot be used if minAvailable
is set.
backgroundController.caCertificates.dataπ
Type: string
nil
Description: CA certificates to use with Kyverno deployments This value is expected to be one large string of CA certificates
backgroundController.caCertificates.volumeπ
Type: object
{}
Description: Volume to be mounted for CA certificates Not used when .Values.backgroundController.caCertificates.data
is defined
backgroundController.metricsService.createπ
Type: bool
true
Description: Create service.
backgroundController.metricsService.portπ
Type: int
8000
Description: Service port. Metrics server will be exposed at this port.
backgroundController.metricsService.typeπ
Type: string
"ClusterIP"
Description: Service type.
backgroundController.metricsService.nodePortπ
Type: string
nil
Description: Service node port. Only used if metricsService.type
is NodePort
.
backgroundController.metricsService.annotationsπ
Type: object
{}
Description: Service annotations.
backgroundController.networkPolicy.enabledπ
Type: bool
false
Description: When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
backgroundController.networkPolicy.ingressFromπ
Type: list
[]
Description: A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
backgroundController.serviceMonitor.enabledπ
Type: bool
false
Description: Create a ServiceMonitor
to collect Prometheus metrics.
backgroundController.serviceMonitor.additionalLabelsπ
Type: object
{}
Description: Additional labels
backgroundController.serviceMonitor.namespaceπ
Type: string
nil
Description: Override namespace
backgroundController.serviceMonitor.intervalπ
Type: string
"30s"
Description: Interval to scrape metrics
backgroundController.serviceMonitor.scrapeTimeoutπ
Type: string
"25s"
Description: Timeout if metrics canβt be retrieved in given time interval
backgroundController.serviceMonitor.secureπ
Type: bool
false
Description: Is TLS required for endpoint
backgroundController.serviceMonitor.tlsConfigπ
Type: object
{}
Description: TLS Configuration for endpoint
backgroundController.serviceMonitor.relabelingsπ
Type: list
[]
Description: RelabelConfigs to apply to samples before scraping
backgroundController.serviceMonitor.metricRelabelingsπ
Type: list
[]
Description: MetricRelabelConfigs to apply to samples before ingestion.
backgroundController.tracing.enabledπ
Type: bool
false
Description: Enable tracing
backgroundController.tracing.addressπ
Type: string
nil
Description: Traces receiver address
backgroundController.tracing.portπ
Type: string
nil
Description: Traces receiver port
backgroundController.tracing.credsπ
Type: string
""
Description: Traces receiver credentials
backgroundController.metering.disabledπ
Type: bool
false
Description: Disable metrics export
backgroundController.metering.configπ
Type: string
"prometheus"
Description: Otel configuration, can be prometheus
or grpc
backgroundController.metering.portπ
Type: int
8000
Description: Prometheus endpoint port
backgroundController.metering.collectorπ
Type: string
""
Description: Otel collector endpoint
backgroundController.metering.credsπ
Type: string
""
Description: Otel collector credentials
backgroundController.profiling.enabledπ
Type: bool
false
Description: Enable profiling
backgroundController.profiling.portπ
Type: int
6060
Description: Profiling endpoint port
backgroundController.profiling.serviceTypeπ
Type: string
"ClusterIP"
Description: Service type.
backgroundController.profiling.nodePortπ
Type: string
nil
Description: Service node port. Only used if type
is NodePort
.
cleanupController.featuresOverrideπ
Type: object
{}
Description: Overrides features defined at the root level
cleanupController.enabledπ
Type: bool
true
Description: Enable cleanup controller.
cleanupController.rbac.createπ
Type: bool
true
Description: Create RBAC resources
cleanupController.rbac.serviceAccount.nameπ
Type: string
nil
Description: Service account name
cleanupController.rbac.serviceAccount.annotationsπ
Type: object
{}
Description: Annotations for the ServiceAccount
cleanupController.rbac.serviceAccount.automountServiceAccountToken.enabledπ
Type: bool
false
cleanupController.rbac.deployment.automountServiceAccountToken.enabledπ
Type: bool
true
cleanupController.rbac.clusterRole.extraResourcesπ
Type: list
[]
Description: Extra resource permissions to add in the cluster role
cleanupController.createSelfSignedCertπ
Type: bool
false
Description: Create self-signed certificates at deployment time. The certificates wonβt be automatically renewed if this is set to true
.
cleanupController.image.registryπ
Type: string
"registry1.dso.mil"
Description: Image registry
cleanupController.image.repositoryπ
Type: string
"ironbank/opensource/kyverno/kyverno/cleanup-controller"
Description: Image repository
cleanupController.image.tagπ
Type: string
"v1.12.6"
Description: Image tag Defaults to appVersion in Chart.yaml if omitted
cleanupController.image.pullPolicyπ
Type: string
"IfNotPresent"
Description: Image pull policy
cleanupController.imagePullSecretsπ
Type: list
- name: private-registry
Description: Image pull secrets
cleanupController.replicasπ
Type: int
nil
Description: Desired number of pods
cleanupController.revisionHistoryLimitπ
Type: int
10
Description: The number of revisions to keep
cleanupController.podLabelsπ
Type: object
{}
Description: Additional labels to add to each pod
cleanupController.podAnnotationsπ
Type: object
{}
Description: Additional annotations to add to each pod
cleanupController.priorityClassNameπ
Type: string
""
Description: Optional priority class
cleanupController.hostNetworkπ
Type: bool
false
Description: Change hostNetwork
to true
when you want the pod to share its hostβs network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the dnsPolicy
accordingly as well to suit the host network mode.
cleanupController.serverπ
Type: object
port: 9443
Description: cleanupController server port in case you are using hostNetwork: true, you might want to change the port the cleanupController is listening to
cleanupController.webhookServerπ
Type: object
port: 9443
Description: cleanupController webhook server port in case you are using hostNetwork: true, you might want to change the port the webhookServer is listening to
cleanupController.dnsPolicyπ
Type: string
"ClusterFirst"
Description: dnsPolicy
determines the manner in which DNS resolution happens in the cluster. In case of hostNetwork: true
, usually, the dnsPolicy
is suitable to be ClusterFirstWithHostNet
. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
cleanupController.extraArgsπ
Type: object
{}
Description: Extra arguments passed to the container on the command line
cleanupController.extraEnvVarsπ
Type: list
[]
Description: Additional container environment variables.
cleanupController.resources.limitsπ
Type: object
memory: 128Mi
Description: Pod resource limits
cleanupController.resources.requestsπ
Type: object
cpu: 100m
memory: 64Mi
Description: Pod resource requests
cleanupController.nodeSelectorπ
Type: object
{}
Description: Node labels for pod assignment
cleanupController.tolerationsπ
Type: list
[]
Description: List of node taints to tolerate
cleanupController.antiAffinity.enabledπ
Type: bool
true
Description: Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node.
cleanupController.podAffinityπ
Type: object
{}
Description: Pod affinity constraints.
cleanupController.nodeAffinityπ
Type: object
{}
Description: Node affinity constraints.
cleanupController.topologySpreadConstraintsπ
Type: list
[]
Description: Topology spread constraints.
cleanupController.podSecurityContextπ
Type: object
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
Description: Security context for the pod
cleanupController.securityContextπ
Type: object
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
Description: Security context for the containers
cleanupController.podDisruptionBudget.enabledπ
Type: bool
false
Description: Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.
cleanupController.podDisruptionBudget.minAvailableπ
Type: int
1
Description: Configures the minimum available pods for disruptions. Cannot be used if maxUnavailable
is set.
cleanupController.podDisruptionBudget.maxUnavailableπ
Type: string
nil
Description: Configures the maximum unavailable pods for disruptions. Cannot be used if minAvailable
is set.
cleanupController.service.portπ
Type: int
443
Description: Service port.
cleanupController.service.typeπ
Type: string
"ClusterIP"
Description: Service type.
cleanupController.service.nodePortπ
Type: string
nil
Description: Service node port. Only used if service.type
is NodePort
.
cleanupController.service.annotationsπ
Type: object
{}
Description: Service annotations.
cleanupController.metricsService.createπ
Type: bool
true
Description: Create service.
cleanupController.metricsService.portπ
Type: int
8000
Description: Service port. Metrics server will be exposed at this port.
cleanupController.metricsService.typeπ
Type: string
"ClusterIP"
Description: Service type.
cleanupController.metricsService.nodePortπ
Type: string
nil
Description: Service node port. Only used if metricsService.type
is NodePort
.
cleanupController.metricsService.annotationsπ
Type: object
{}
Description: Service annotations.
cleanupController.networkPolicy.enabledπ
Type: bool
false
Description: When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
cleanupController.networkPolicy.ingressFromπ
Type: list
[]
Description: A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
cleanupController.serviceMonitor.enabledπ
Type: bool
false
Description: Create a ServiceMonitor
to collect Prometheus metrics.
cleanupController.serviceMonitor.additionalLabelsπ
Type: object
{}
Description: Additional labels
cleanupController.serviceMonitor.namespaceπ
Type: string
nil
Description: Override namespace
cleanupController.serviceMonitor.intervalπ
Type: string
"30s"
Description: Interval to scrape metrics
cleanupController.serviceMonitor.scrapeTimeoutπ
Type: string
"25s"
Description: Timeout if metrics canβt be retrieved in given time interval
cleanupController.serviceMonitor.secureπ
Type: bool
false
Description: Is TLS required for endpoint
cleanupController.serviceMonitor.tlsConfigπ
Type: object
{}
Description: TLS Configuration for endpoint
cleanupController.serviceMonitor.relabelingsπ
Type: list
[]
Description: RelabelConfigs to apply to samples before scraping
cleanupController.serviceMonitor.metricRelabelingsπ
Type: list
[]
Description: MetricRelabelConfigs to apply to samples before ingestion.
cleanupController.tracing.enabledπ
Type: bool
false
Description: Enable tracing
cleanupController.tracing.addressπ
Type: string
nil
Description: Traces receiver address
cleanupController.tracing.portπ
Type: string
nil
Description: Traces receiver port
cleanupController.tracing.credsπ
Type: string
""
Description: Traces receiver credentials
cleanupController.metering.disabledπ
Type: bool
false
Description: Disable metrics export
cleanupController.metering.configπ
Type: string
"prometheus"
Description: Otel configuration, can be prometheus
or grpc
cleanupController.metering.portπ
Type: int
8000
Description: Prometheus endpoint port
cleanupController.metering.collectorπ
Type: string
""
Description: Otel collector endpoint
cleanupController.metering.credsπ
Type: string
""
Description: Otel collector credentials
cleanupController.profiling.enabledπ
Type: bool
false
Description: Enable profiling
cleanupController.profiling.portπ
Type: int
6060
Description: Profiling endpoint port
cleanupController.profiling.serviceTypeπ
Type: string
"ClusterIP"
Description: Service type.
cleanupController.profiling.nodePortπ
Type: string
nil
Description: Service node port. Only used if type
is NodePort
.
reportsController.featuresOverrideπ
Type: object
{}
Description: Overrides features defined at the root level
reportsController.enabledπ
Type: bool
true
Description: Enable reports controller.
reportsController.rbac.createπ
Type: bool
true
Description: Create RBAC resources
reportsController.rbac.serviceAccount.nameπ
Type: string
nil
Description: Service account name
reportsController.rbac.serviceAccount.annotationsπ
Type: object
{}
Description: Annotations for the ServiceAccount
reportsController.rbac.serviceAccount.automountServiceAccountToken.enabledπ
Type: bool
false
reportsController.rbac.deployment.automountServiceAccountToken.enabledπ
Type: bool
true
reportsController.rbac.clusterRole.extraResourcesπ
Type: list
[]
Description: Extra resource permissions to add in the cluster role
reportsController.image.registryπ
Type: string
"registry1.dso.mil"
Description: Image registry
reportsController.image.repositoryπ
Type: string
"ironbank/opensource/kyverno/kyverno/reports-controller"
Description: Image repository
reportsController.image.tagπ
Type: string
"v1.12.6"
Description: Image tag Defaults to appVersion in Chart.yaml if omitted
reportsController.image.pullPolicyπ
Type: string
"IfNotPresent"
Description: Image pull policy
reportsController.imagePullSecretsπ
Type: list
- name: private-registry
Description: Image pull secrets
reportsController.replicasπ
Type: int
nil
Description: Desired number of pods
reportsController.revisionHistoryLimitπ
Type: int
10
Description: The number of revisions to keep
reportsController.podLabelsπ
Type: object
{}
Description: Additional labels to add to each pod
reportsController.podAnnotationsπ
Type: object
{}
Description: Additional annotations to add to each pod
reportsController.priorityClassNameπ
Type: string
""
Description: Optional priority class
reportsController.apiPriorityAndFairnessπ
Type: bool
false
Description: Change apiPriorityAndFairness
to true
if you want to insulate the API calls made by Kyverno reports controller activities. This will help ensure Kyverno reports stability in busy clusters. Ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/
reportsController.hostNetworkπ
Type: bool
false
Description: Change hostNetwork
to true
when you want the pod to share its hostβs network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the dnsPolicy
accordingly as well to suit the host network mode.
reportsController.dnsPolicyπ
Type: string
"ClusterFirst"
Description: dnsPolicy
determines the manner in which DNS resolution happens in the cluster. In case of hostNetwork: true
, usually, the dnsPolicy
is suitable to be ClusterFirstWithHostNet
. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
reportsController.extraArgsπ
Type: object
{}
Description: Extra arguments passed to the container on the command line
reportsController.extraEnvVarsπ
Type: list
[]
Description: Additional container environment variables.
reportsController.resources.limitsπ
Type: object
memory: 128Mi
Description: Pod resource limits
reportsController.resources.requestsπ
Type: object
cpu: 100m
memory: 64Mi
Description: Pod resource requests
reportsController.nodeSelectorπ
Type: object
{}
Description: Node labels for pod assignment
reportsController.tolerationsπ
Type: list
[]
Description: List of node taints to tolerate
reportsController.antiAffinity.enabledπ
Type: bool
true
Description: Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node.
reportsController.podAffinityπ
Type: object
{}
Description: Pod affinity constraints.
reportsController.nodeAffinityπ
Type: object
{}
Description: Node affinity constraints.
reportsController.topologySpreadConstraintsπ
Type: list
[]
Description: Topology spread constraints.
reportsController.podSecurityContextπ
Type: object
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
Description: Security context for the pod
reportsController.securityContextπ
Type: object
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
Description: Security context for the containers
reportsController.podDisruptionBudget.enabledπ
Type: bool
false
Description: Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.
reportsController.podDisruptionBudget.minAvailableπ
Type: int
1
Description: Configures the minimum available pods for disruptions. Cannot be used if maxUnavailable
is set.
reportsController.podDisruptionBudget.maxUnavailableπ
Type: string
nil
Description: Configures the maximum unavailable pods for disruptions. Cannot be used if minAvailable
is set.
reportsController.tufRootMountPathπ
Type: string
"/.sigstore"
Description: A writable volume to use for the TUF root initialization.
reportsController.sigstoreVolumeπ
Type: object
emptyDir: {}
Description: Volume to be mounted in pods for TUF/cosign work.
reportsController.caCertificates.dataπ
Type: string
nil
Description: CA certificates to use with Kyverno deployments This value is expected to be one large string of CA certificates
reportsController.caCertificates.volumeπ
Type: object
{}
Description: Volume to be mounted for CA certificates Not used when .Values.reportsController.caCertificates.data
is defined
reportsController.metricsService.createπ
Type: bool
true
Description: Create service.
reportsController.metricsService.portπ
Type: int
8000
Description: Service port. Metrics server will be exposed at this port.
reportsController.metricsService.typeπ
Type: string
"ClusterIP"
Description: Service type.
reportsController.metricsService.nodePortπ
Type: string
nil
Description: Service node port. Only used if type
is NodePort
.
reportsController.metricsService.annotationsπ
Type: object
{}
Description: Service annotations.
reportsController.networkPolicy.enabledπ
Type: bool
false
Description: When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
reportsController.networkPolicy.ingressFromπ
Type: list
[]
Description: A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
reportsController.serviceMonitor.enabledπ
Type: bool
false
Description: Create a ServiceMonitor
to collect Prometheus metrics.
reportsController.serviceMonitor.additionalLabelsπ
Type: object
{}
Description: Additional labels
reportsController.serviceMonitor.namespaceπ
Type: string
nil
Description: Override namespace
reportsController.serviceMonitor.intervalπ
Type: string
"30s"
Description: Interval to scrape metrics
reportsController.serviceMonitor.scrapeTimeoutπ
Type: string
"25s"
Description: Timeout if metrics canβt be retrieved in given time interval
reportsController.serviceMonitor.secureπ
Type: bool
false
Description: Is TLS required for endpoint
reportsController.serviceMonitor.tlsConfigπ
Type: object
{}
Description: TLS Configuration for endpoint
reportsController.serviceMonitor.relabelingsπ
Type: list
[]
Description: RelabelConfigs to apply to samples before scraping
reportsController.serviceMonitor.metricRelabelingsπ
Type: list
[]
Description: MetricRelabelConfigs to apply to samples before ingestion.
reportsController.tracing.enabledπ
Type: bool
false
Description: Enable tracing
reportsController.tracing.addressπ
Type: string
nil
Description: Traces receiver address
reportsController.tracing.portπ
Type: string
nil
Description: Traces receiver port
reportsController.tracing.credsπ
Type: string
nil
Description: Traces receiver credentials
reportsController.metering.disabledπ
Type: bool
false
Description: Disable metrics export
reportsController.metering.configπ
Type: string
"prometheus"
Description: Otel configuration, can be prometheus
or grpc
reportsController.metering.portπ
Type: int
8000
Description: Prometheus endpoint port
reportsController.metering.collectorπ
Type: string
nil
Description: Otel collector endpoint
reportsController.metering.credsπ
Type: string
nil
Description: Otel collector credentials
reportsController.profiling.enabledπ
Type: bool
false
Description: Enable profiling
reportsController.profiling.portπ
Type: int
6060
Description: Profiling endpoint port
reportsController.profiling.serviceTypeπ
Type: string
"ClusterIP"
Description: Service type.
reportsController.profiling.nodePortπ
Type: string
nil
Description: Service node port. Only used if type
is NodePort
.
networkPolicies.enabledπ
Type: bool
false
networkPolicies.controlPlaneCidrπ
Type: string
"0.0.0.0/0"
networkPolicies.externalRegistries.allowEgressπ
Type: bool
false
networkPolicies.externalRegistries.portsπ
Type: list
[]
networkPolicies.allowExternalRegistryEgressπ
Type: bool
false
networkPolicies.additionalPoliciesπ
Type: list
[]
istio.enabledπ
Type: bool
false
openshiftπ
Type: bool
false
bbtests.enabledπ
Type: bool
false
bbtests.scripts.imageπ
Type: string
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.5"
bbtests.scripts.additionalVolumeMounts[0].nameπ
Type: string
"kyverno-bbtest-manifest"
bbtests.scripts.additionalVolumeMounts[0].mountPathπ
Type: string
"/yaml"
bbtests.scripts.additionalVolumes[0].nameπ
Type: string
"kyverno-bbtest-manifest"
bbtests.scripts.additionalVolumes[0].configMap.nameπ
Type: string
"kyverno-bbtest-manifest"