Skip to content

kyverno values.yamlπŸ“œ

global.image.registryπŸ“œ

Type: string

Default value
"registry1.dso.mil"

Description: Global value that allows to set a single image registry across all deployments. When set, it will override any values set under .image.registry across the chart.

global.imagePullSecrets[0].nameπŸ“œ

Type: string

Default value
"private-registry"

global.caCertificates.dataπŸ“œ

Type: string

Default value
nil

Description: Global CA certificates to use with Kyverno deployments This value is expected to be one large string of CA certificates Individual controller values will override this global value

global.caCertificates.volumeπŸ“œ

Type: object

Default value
{}

Description: Global value to set single volume to be mounted for CA certificates for all deployments. Not used when .Values.global.caCertificates.data is defined Individual controller values will override this global value

global.extraEnvVarsπŸ“œ

Type: list

Default value
[]

Description: Additional container environment variables to apply to all containers and init containers

global.nodeSelectorπŸ“œ

Type: object

Default value
{}

Description: Global node labels for pod assignment. Non-global values will override the global value.

nameOverrideπŸ“œ

Type: string

Default value
nil

Description: Override the name of the chart

fullnameOverrideπŸ“œ

Type: string

Default value
nil

Description: Override the expanded name of the chart

namespaceOverrideπŸ“œ

Type: string

Default value
nil

Description: Override the namespace the chart deploys to

upgrade.fromV2πŸ“œ

Type: bool

Default value
true

Description: Upgrading from v2 to v3 is not allowed by default, set this to true once changes have been reviewed.

apiVersionOverride.podDisruptionBudgetπŸ“œ

Type: string

Default value
"policy/v1"

Description: Override api version used to create PodDisruptionBudget`` resources. When not specified the chart will check ifpolicy/v1/PodDisruptionBudget` is available to determine the api version automatically.

crds.installπŸ“œ

Type: bool

Default value
true

Description: Whether to have Helm install the Kyverno CRDs, if the CRDs are not installed by Helm, they must be added before policies can be created

crds.groups.kyvernoπŸ“œ

Type: object

Default value
admissionreports: true
backgroundscanreports: true
cleanuppolicies: true
clusteradmissionreports: true
clusterbackgroundscanreports: true
clustercleanuppolicies: true
clusterpolicies: true
globalcontextentries: true
policies: true
policyexceptions: true
updaterequests: true

Description: Install CRDs in group kyverno.io

crds.groups.reportsπŸ“œ

Type: object

Default value
clusterephemeralreports: true
ephemeralreports: true

Description: Install CRDs in group reports.kyverno.io

crds.groups.wgpolicyk8sπŸ“œ

Type: object

Default value
clusterpolicyreports: true
policyreports: true

Description: Install CRDs in group wgpolicyk8s.io

crds.annotationsπŸ“œ

Type: object

Default value
{}

Description: Additional CRDs annotations

crds.customLabelsπŸ“œ

Type: object

Default value
{}

Description: Additional CRDs labels

crds.migration.enabledπŸ“œ

Type: bool

Default value
true

Description: Enable CRDs migration using helm post upgrade hook

crds.migration.resourcesπŸ“œ

Type: list

Default value
- admissionreports.kyverno.io
- backgroundscanreports.kyverno.io
- cleanuppolicies.kyverno.io
- clusteradmissionreports.kyverno.io
- clusterbackgroundscanreports.kyverno.io
- clustercleanuppolicies.kyverno.io
- clusterpolicies.kyverno.io
- globalcontextentries.kyverno.io
- policies.kyverno.io
- policyexceptions.kyverno.io
- updaterequests.kyverno.io

Description: Resources to migrate

crds.migration.image.registryπŸ“œ

Type: string

Default value
"registry1.dso.mil"

Description: Image registry

crds.migration.image.repositoryπŸ“œ

Type: string

Default value
"ironbank/opensource/kyverno/kyvernocli"

Description: Image repository

crds.migration.image.tagπŸ“œ

Type: string

Default value
"v1.12.6"

Description: Image tag Defaults to appVersion in Chart.yaml if omitted

crds.migration.image.pullPolicyπŸ“œ

Type: string

Default value
nil

Description: Image pull policy

crds.migration.imagePullSecrets[0].nameπŸ“œ

Type: string

Default value
"private-registry"

crds.podSecurityContextπŸ“œ

Type: object

Default value
nodeAffinity: {}
nodeSelector: {}
podAffinity: {}
podAnnotations: {}
podAntiAffinity: {}
podLabels: {}
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
    - ALL
  privileged: false
  readOnlyRootFilesystem: true
  runAsGroup: 65534
  runAsNonRoot: true
  runAsUser: 65534
  seccompProfile:
    type: RuntimeDefault
tolerations: []

Description: Security context for the pod

crds.podSecurityContext.nodeSelectorπŸ“œ

Type: object

Default value
{}

Description: Node labels for pod assignment

crds.podSecurityContext.tolerationsπŸ“œ

Type: list

Default value
[]

Description: List of node taints to tolerate

crds.podSecurityContext.podAntiAffinityπŸ“œ

Type: object

Default value
{}

Description: Pod anti affinity constraints.

crds.podSecurityContext.podAffinityπŸ“œ

Type: object

Default value
{}

Description: Pod affinity constraints.

crds.podSecurityContext.podLabelsπŸ“œ

Type: object

Default value
{}

Description: Pod labels.

crds.podSecurityContext.podAnnotationsπŸ“œ

Type: object

Default value
{}

Description: Pod annotations.

crds.podSecurityContext.nodeAffinityπŸ“œ

Type: object

Default value
{}

Description: Node affinity constraints.

crds.podSecurityContext.securityContextπŸ“œ

Type: object

Default value
allowPrivilegeEscalation: false
capabilities:
  drop:
  - ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 65534
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
  type: RuntimeDefault

Description: Security context for the hook containers

config.createπŸ“œ

Type: bool

Default value
true

Description: Create the configmap.

config.preserveπŸ“œ

Type: bool

Default value
true

Description: Preserve the configmap settings during upgrade.

config.nameπŸ“œ

Type: string

Default value
nil

Description: The configmap name (required if create is false).

config.annotationsπŸ“œ

Type: object

Default value
{}

Description: Additional annotations to add to the configmap.

config.enableDefaultRegistryMutationπŸ“œ

Type: bool

Default value
true

Description: Enable registry mutation for container images. Enabled by default.

config.defaultRegistryπŸ“œ

Type: string

Default value
"registry1.dso.mil"

Description: The registry hostname used for the image mutation.

config.excludeGroupsπŸ“œ

Type: list

Default value
- system:nodes

Description: Exclude groups

config.excludeUsernamesπŸ“œ

Type: list

Default value
[]

Description: Exclude usernames

config.excludeRolesπŸ“œ

Type: list

Default value
[]

Description: Exclude roles

config.excludeClusterRolesπŸ“œ

Type: list

Default value
[]

Description: Exclude roles

config.generateSuccessEventsπŸ“œ

Type: bool

Default value
false

Description: Generate success events.

config.webhooksπŸ“œ

Type: list

Default value
- namespaceSelector:
    matchExpressions:
    - key: kubernetes.io/metadata.name
      operator: NotIn
      values:
      - kube-system

Description: Defines the namespaceSelector in the webhook configurations. Note that it takes a list of namespaceSelector and/or objectSelector in the JSON format, and only the first element will be forwarded to the webhook configurations. The Kyverno namespace is excluded if excludeKyvernoNamespace is true (default)

config.webhookAnnotationsπŸ“œ

Type: object

Default value
admissions.enforcer/disabled: 'true'

Description: Defines annotations to set on webhook configurations.

config.webhookLabelsπŸ“œ

Type: object

Default value
{}

Description: Defines labels to set on webhook configurations.

config.matchConditionsπŸ“œ

Type: list

Default value
[]

Description: Defines match conditions to set on webhook configurations (requires Kubernetes 1.27+).

config.excludeKyvernoNamespaceπŸ“œ

Type: bool

Default value
true

Description: Exclude Kyverno namespace Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters

config.resourceFiltersExcludeNamespacesπŸ“œ

Type: list

Default value
[]

Description: resourceFilter namespace exclude Namespaces to exclude from the default resourceFilters

config.resourceFiltersExcludeπŸ“œ

Type: list

Default value
[]

Description: resourceFilters exclude list Items to exclude from config.resourceFilters

config.resourceFiltersIncludeNamespacesπŸ“œ

Type: list

Default value
[]

Description: resourceFilter namespace include Namespaces to include to the default resourceFilters

config.resourceFiltersIncludeπŸ“œ

Type: list

Default value
[]

Description: resourceFilters include list Items to include to config.resourceFilters

metricsConfig.createπŸ“œ

Type: bool

Default value
true

Description: Create the configmap.

metricsConfig.nameπŸ“œ

Type: string

Default value
nil

Description: The configmap name (required if create is false).

metricsConfig.annotationsπŸ“œ

Type: object

Default value
{}

Description: Additional annotations to add to the configmap.

metricsConfig.namespaces.includeπŸ“œ

Type: list

Default value
[]

Description: List of namespaces to capture metrics for.

metricsConfig.namespaces.excludeπŸ“œ

Type: list

Default value
[]

Description: list of namespaces to NOT capture metrics for.

metricsConfig.metricsRefreshIntervalπŸ“œ

Type: string

Default value
nil

Description: Rate at which metrics should reset so as to clean up the memory footprint of kyverno metrics, if you might be expecting high memory footprint of Kyverno’s metrics. Default: 0, no refresh of metrics. WARNING: This flag is not working since Kyverno 1.8.0

metricsConfig.bucketBoundariesπŸ“œ

Type: list

Default value
- 0.005
- 0.01
- 0.025
- 0.05
- 0.1
- 0.25
- 0.5
- 1
- 2.5
- 5
- 10
- 15
- 20
- 25
- 30

Description: Configures the bucket boundaries for all Histogram metrics, changing this configuration requires restart of the kyverno admission controller

metricsConfig.metricsExposureπŸ“œ

Type: map

Default value
nil

Description: Configures the exposure of individual metrics, by default all metrics and all labels are exported, changing this configuration requires restart of the kyverno admission controller

imagePullSecretsπŸ“œ

Type: object

Default value
{}

Description: Image pull secrets for image verification policies, this will define the --imagePullSecrets argument

existingImagePullSecretsπŸ“œ

Type: list

Default value
- private-registry

Description: Existing Image pull secrets for image verification policies, this will define the --imagePullSecrets argument

test.image.registryπŸ“œ

Type: string

Default value
"registry1.dso.mil"

Description: Image registry

test.image.repositoryπŸ“œ

Type: string

Default value
"ironbank/redhat/ubi/ubi9-minimal"

Description: Image repository

test.image.tagπŸ“œ

Type: string

Default value
"9.4"

Description: Image tag Defaults to latest if omitted

test.image.pullPolicyπŸ“œ

Type: string

Default value
nil

Description: Image pull policy Defaults to image.pullPolicy if omitted

test.imagePullSecretsπŸ“œ

Type: list

Default value
- name: private-registry

Description: Image pull secrets

test.resources.limitsπŸ“œ

Type: object

Default value
cpu: 100m
memory: 256Mi

Description: Pod resource limits

test.resources.requestsπŸ“œ

Type: object

Default value
cpu: 10m
memory: 64Mi

Description: Pod resource requests

test.podSecurityContextπŸ“œ

Type: object

Default value
runAsGroup: 65534
runAsNonRoot: true
runAsUser: 65534

Description: Security context for the test pod

test.securityContextπŸ“œ

Type: object

Default value
allowPrivilegeEscalation: false
capabilities:
  drop:
  - ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 65534
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
  type: RuntimeDefault

Description: Security context for the test containers

customLabelsπŸ“œ

Type: object

Default value
{}

Description: Additional labels

webhooksCleanup.enabledπŸ“œ

Type: bool

Default value
true

Description: Create a helm pre-delete hook to cleanup webhooks.

webhooksCleanup.image.registryπŸ“œ

Type: string

Default value
"registry1.dso.mil"

Description: Image registry

webhooksCleanup.image.repositoryπŸ“œ

Type: string

Default value
"ironbank/opensource/kubernetes/kubectl"

Description: Image repository

webhooksCleanup.image.tagπŸ“œ

Type: string

Default value
"v1.30.5"

Description: Image tag Defaults to latest if omitted

webhooksCleanup.image.pullPolicyπŸ“œ

Type: string

Default value
nil

Description: Image pull policy Defaults to image.pullPolicy if omitted

webhooksCleanup.imagePullSecretsπŸ“œ

Type: list

Default value
- name: private-registry

Description: Image pull secrets

webhooksCleanup.automountServiceAccountToken.enabledπŸ“œ

Type: bool

Default value
true

webhooksCleanup.podSecurityContextπŸ“œ

Type: object

Default value
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001

Description: Security context for the pod

webhooksCleanup.nodeSelectorπŸ“œ

Type: object

Default value
{}

Description: Node labels for pod assignment

webhooksCleanup.tolerationsπŸ“œ

Type: list

Default value
[]

Description: List of node taints to tolerate

webhooksCleanup.podAntiAffinityπŸ“œ

Type: object

Default value
{}

Description: Pod anti affinity constraints.

webhooksCleanup.podAffinityπŸ“œ

Type: object

Default value
{}

Description: Pod affinity constraints.

webhooksCleanup.podLabelsπŸ“œ

Type: object

Default value
{}

Description: Pod labels.

webhooksCleanup.podAnnotationsπŸ“œ

Type: object

Default value
{}

Description: Pod annotations.

webhooksCleanup.nodeAffinityπŸ“œ

Type: object

Default value
{}

Description: Node affinity constraints.

webhooksCleanup.securityContextπŸ“œ

Type: object

Default value
allowPrivilegeEscalation: false
capabilities:
  drop:
  - ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001
seccompProfile:
  type: RuntimeDefault

Description: Security context for the hook containers

webhooksCleanup.resourcesπŸ“œ

Type: object

Default value
limits:
  cpu: '0.5'
  memory: 256Mi
requests:
  cpu: '0.5'
  memory: 256Mi

Description: Resource limits for the containers

policyReportsCleanup.enabledπŸ“œ

Type: bool

Default value
false

Description: Create a helm post-upgrade hook to cleanup the old policy reports.

policyReportsCleanup.automountServiceAccountToken.enabledπŸ“œ

Type: bool

Default value
true

policyReportsCleanup.image.registryπŸ“œ

Type: string

Default value
"registry1.dso.mil"

Description: Image registry

policyReportsCleanup.image.repositoryπŸ“œ

Type: string

Default value
"ironbank/opensource/kubernetes/kubectl"

Description: Image repository

policyReportsCleanup.image.tagπŸ“œ

Type: string

Default value
"v1.30.5"

Description: Image tag Defaults to latest if omitted

policyReportsCleanup.image.pullPolicyπŸ“œ

Type: string

Default value
nil

Description: Image pull policy Defaults to image.pullPolicy if omitted

policyReportsCleanup.imagePullSecretsπŸ“œ

Type: list

Default value
- name: private-registry

Description: Image pull secrets

policyReportsCleanup.podSecurityContextπŸ“œ

Type: object

Default value
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001

Description: Security context for the pod

policyReportsCleanup.nodeSelectorπŸ“œ

Type: object

Default value
{}

Description: Node labels for pod assignment

policyReportsCleanup.tolerationsπŸ“œ

Type: list

Default value
[]

Description: List of node taints to tolerate

policyReportsCleanup.podAntiAffinityπŸ“œ

Type: object

Default value
{}

Description: Pod anti affinity constraints.

policyReportsCleanup.podAffinityπŸ“œ

Type: object

Default value
{}

Description: Pod affinity constraints.

policyReportsCleanup.podLabelsπŸ“œ

Type: object

Default value
{}

Description: Pod labels.

policyReportsCleanup.podAnnotationsπŸ“œ

Type: object

Default value
{}

Description: Pod annotations.

policyReportsCleanup.nodeAffinityπŸ“œ

Type: object

Default value
{}

Description: Node affinity constraints.

policyReportsCleanup.securityContextπŸ“œ

Type: object

Default value
allowPrivilegeEscalation: false
capabilities:
  drop:
  - ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001
seccompProfile:
  type: RuntimeDefault

Description: Security context for the hook containers

policyReportsCleanup.resourcesπŸ“œ

Type: object

Default value
limits:
  cpu: '1'
  memory: 512Mi
requests:
  cpu: '0.5'
  memory: 256Mi

Description: Resource limits for the containers

grafana.enabledπŸ“œ

Type: bool

Default value
false

Description: Enable grafana dashboard creation.

grafana.configMapNameπŸ“œ

Type: string

Default value
"{{ include \"kyverno.fullname\" . }}-grafana"

Description: Configmap name template.

grafana.namespaceπŸ“œ

Type: string

Default value
nil

Description: Namespace to create the grafana dashboard configmap. If not set, it will be created in the same namespace where the chart is deployed.

grafana.annotationsπŸ“œ

Type: object

Default value
{}

Description: Grafana dashboard configmap annotations.

grafana.labelsπŸ“œ

Type: object

Default value
grafana_dashboard: '1'

Description: Grafana dashboard configmap labels

grafana.grafanaDashboardπŸ“œ

Type: object

Default value
create: false
matchLabels:
  dashboards: grafana

Description: create GrafanaDashboard custom resource referencing to the configMap. according to https://grafana-operator.github.io/grafana-operator/docs/examples/dashboard_from_configmap/readme/

features.admissionReports.enabledπŸ“œ

Type: bool

Default value
true

Description: Enables the feature

features.aggregateReports.enabledπŸ“œ

Type: bool

Default value
true

Description: Enables the feature

features.policyReports.enabledπŸ“œ

Type: bool

Default value
true

Description: Enables the feature

features.validatingAdmissionPolicyReports.enabledπŸ“œ

Type: bool

Default value
false

Description: Enables the feature

features.autoUpdateWebhooks.enabledπŸ“œ

Type: bool

Default value
true

Description: Enables the feature

features.backgroundScan.enabledπŸ“œ

Type: bool

Default value
true

Description: Enables the feature

features.backgroundScan.backgroundScanWorkersπŸ“œ

Type: int

Default value
2

Description: Number of background scan workers

features.backgroundScan.backgroundScanIntervalπŸ“œ

Type: string

Default value
"1h"

Description: Background scan interval

features.backgroundScan.skipResourceFiltersπŸ“œ

Type: bool

Default value
true

Description: Skips resource filters in background scan

features.configMapCaching.enabledπŸ“œ

Type: bool

Default value
true

Description: Enables the feature

features.deferredLoading.enabledπŸ“œ

Type: bool

Default value
true

Description: Enables the feature

features.dumpPayload.enabledπŸ“œ

Type: bool

Default value
false

Description: Enables the feature

features.forceFailurePolicyIgnore.enabledπŸ“œ

Type: bool

Default value
false

Description: Enables the feature

features.generateValidatingAdmissionPolicy.enabledπŸ“œ

Type: bool

Default value
false

Description: Enables the feature

features.globalContext.maxApiCallResponseLengthπŸ“œ

Type: int

Default value
2000000

Description: Maximum allowed response size from API Calls. A value of 0 bypasses checks (not recommended)

features.logging.formatπŸ“œ

Type: string

Default value
"text"

Description: Logging format

features.logging.verbosityπŸ“œ

Type: int

Default value
2

Description: Logging verbosity

features.omitEvents.eventTypesπŸ“œ

Type: list

Default value
- PolicyApplied
- PolicySkipped

Description: Events which should not be emitted (possible values PolicyViolation, PolicyApplied, PolicyError, and PolicySkipped)

features.policyExceptions.enabledπŸ“œ

Type: bool

Default value
true

Description: Enables the feature

features.policyExceptions.namespaceπŸ“œ

Type: string

Default value
"kyverno"

Description: Restrict policy exceptions to a single namespace

features.protectManagedResources.enabledπŸ“œ

Type: bool

Default value
false

Description: Enables the feature

features.registryClient.allowInsecureπŸ“œ

Type: bool

Default value
false

Description: Allow insecure registry

features.registryClient.credentialHelpersπŸ“œ

Type: list

Default value
- default
- google
- amazon
- azure
- github

Description: Enable registry client helpers

features.reports.chunkSizeπŸ“œ

Type: int

Default value
0

Description: Reports chunk size

features.ttlController.reconciliationIntervalπŸ“œ

Type: string

Default value
"1m"

Description: Reconciliation interval for the label based cleanup manager

features.tuf.enabledπŸ“œ

Type: bool

Default value
false

Description: Enables the feature

features.tuf.rootπŸ“œ

Type: string

Default value
nil

Description: Tuf root

features.tuf.mirrorπŸ“œ

Type: string

Default value
nil

Description: Tuf mirror

cleanupJobs.rbac.serviceAccount.automountServiceAccountToken.enabledπŸ“œ

Type: bool

Default value
false

cleanupJobs.admissionReports.enabledπŸ“œ

Type: bool

Default value
true

Description: Enable cleanup cronjob

cleanupJobs.admissionReports.automountServiceAccountToken.enabledπŸ“œ

Type: bool

Default value
true

cleanupJobs.admissionReports.backoffLimitπŸ“œ

Type: int

Default value
3

Description: Maximum number of retries before considering a Job as failed. Defaults to 3.

cleanupJobs.admissionReports.image.registryπŸ“œ

Type: string

Default value
"registry1.dso.mil"

Description: Image registry

cleanupJobs.admissionReports.image.repositoryπŸ“œ

Type: string

Default value
"ironbank/opensource/kubernetes/kubectl"

Description: Image repository

cleanupJobs.admissionReports.image.tagπŸ“œ

Type: string

Default value
"v1.30.5"

Description: Image tag Defaults to latest if omitted

cleanupJobs.admissionReports.image.pullPolicyπŸ“œ

Type: string

Default value
nil

Description: Image pull policy Defaults to image.pullPolicy if omitted

cleanupJobs.admissionReports.imagePullSecretsπŸ“œ

Type: list

Default value
- name: private-registry

Description: Image pull secrets

cleanupJobs.admissionReports.scheduleπŸ“œ

Type: string

Default value
"*/10 * * * *"

Description: Cronjob schedule

cleanupJobs.admissionReports.thresholdπŸ“œ

Type: int

Default value
10000

Description: Reports threshold, if number of reports are above this value the cronjob will start deleting them

cleanupJobs.admissionReports.historyπŸ“œ

Type: object

Default value
failure: 1
success: 1

Description: Cronjob history

cleanupJobs.admissionReports.podSecurityContextπŸ“œ

Type: object

Default value
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000

Description: Security context for the pod

cleanupJobs.admissionReports.securityContextπŸ“œ

Type: object

Default value
allowPrivilegeEscalation: false
capabilities:
  drop:
  - ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
  type: RuntimeDefault

Description: Security context for the containers

cleanupJobs.admissionReports.priorityClassNameπŸ“œ

Type: string

Default value
""

Description: Pod PriorityClassName

cleanupJobs.admissionReports.resourcesπŸ“œ

Type: object

Default value
{}

Description: Job resources

cleanupJobs.admissionReports.tolerationsπŸ“œ

Type: list

Default value
[]

Description: List of node taints to tolerate

cleanupJobs.admissionReports.nodeSelectorπŸ“œ

Type: object

Default value
{}

Description: Node labels for pod assignment

cleanupJobs.admissionReports.podAnnotationsπŸ“œ

Type: object

Default value
{}

Description: Pod Annotations

cleanupJobs.admissionReports.podLabelsπŸ“œ

Type: object

Default value
{}

Description: Pod labels

cleanupJobs.admissionReports.podAntiAffinityπŸ“œ

Type: object

Default value
{}

Description: Pod anti affinity constraints.

cleanupJobs.admissionReports.podAffinityπŸ“œ

Type: object

Default value
{}

Description: Pod affinity constraints.

cleanupJobs.admissionReports.nodeAffinityπŸ“œ

Type: object

Default value
{}

Description: Node affinity constraints.

cleanupJobs.clusterAdmissionReports.enabledπŸ“œ

Type: bool

Default value
true

Description: Enable cleanup cronjob

cleanupJobs.clusterAdmissionReports.automountServiceAccountToken.enabledπŸ“œ

Type: bool

Default value
true

cleanupJobs.clusterAdmissionReports.backoffLimitπŸ“œ

Type: int

Default value
3

Description: Maximum number of retries before considering a Job as failed. Defaults to 3.

cleanupJobs.clusterAdmissionReports.image.registryπŸ“œ

Type: string

Default value
"registry1.dso.mil"

Description: Image registry

cleanupJobs.clusterAdmissionReports.image.repositoryπŸ“œ

Type: string

Default value
"ironbank/opensource/kubernetes/kubectl"

Description: Image repository

cleanupJobs.clusterAdmissionReports.image.tagπŸ“œ

Type: string

Default value
"v1.30.5"

Description: Image tag Defaults to latest if omitted

cleanupJobs.clusterAdmissionReports.image.pullPolicyπŸ“œ

Type: string

Default value
nil

Description: Image pull policy Defaults to image.pullPolicy if omitted

cleanupJobs.clusterAdmissionReports.imagePullSecretsπŸ“œ

Type: list

Default value
- name: private-registry

Description: Image pull secrets

cleanupJobs.clusterAdmissionReports.scheduleπŸ“œ

Type: string

Default value
"*/10 * * * *"

Description: Cronjob schedule

cleanupJobs.clusterAdmissionReports.thresholdπŸ“œ

Type: int

Default value
10000

Description: Reports threshold, if number of reports are above this value the cronjob will start deleting them

cleanupJobs.clusterAdmissionReports.historyπŸ“œ

Type: object

Default value
failure: 1
success: 1

Description: Cronjob history

cleanupJobs.clusterAdmissionReports.podSecurityContextπŸ“œ

Type: object

Default value
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000

Description: Security context for the pod

cleanupJobs.clusterAdmissionReports.securityContextπŸ“œ

Type: object

Default value
allowPrivilegeEscalation: false
capabilities:
  drop:
  - ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
  type: RuntimeDefault

Description: Security context for the containers

cleanupJobs.clusterAdmissionReports.priorityClassNameπŸ“œ

Type: string

Default value
""

Description: Pod PriorityClassName

cleanupJobs.clusterAdmissionReports.resourcesπŸ“œ

Type: object

Default value
{}

Description: Job resources

cleanupJobs.clusterAdmissionReports.tolerationsπŸ“œ

Type: list

Default value
[]

Description: List of node taints to tolerate

cleanupJobs.clusterAdmissionReports.nodeSelectorπŸ“œ

Type: object

Default value
{}

Description: Node labels for pod assignment

cleanupJobs.clusterAdmissionReports.podAnnotationsπŸ“œ

Type: object

Default value
{}

Description: Pod Annotations

cleanupJobs.clusterAdmissionReports.podLabelsπŸ“œ

Type: object

Default value
{}

Description: Pod Labels

cleanupJobs.clusterAdmissionReports.podAntiAffinityπŸ“œ

Type: object

Default value
{}

Description: Pod anti affinity constraints.

cleanupJobs.clusterAdmissionReports.podAffinityπŸ“œ

Type: object

Default value
{}

Description: Pod affinity constraints.

cleanupJobs.clusterAdmissionReports.nodeAffinityπŸ“œ

Type: object

Default value
{}

Description: Node affinity constraints.

cleanupJobs.updateRequests.enabledπŸ“œ

Type: bool

Default value
true

Description: Enable cleanup cronjob

cleanupJobs.updateRequests.automountServiceAccountToken.enabledπŸ“œ

Type: bool

Default value
true

cleanupJobs.updateRequests.backoffLimitπŸ“œ

Type: int

Default value
3

Description: Maximum number of retries before considering a Job as failed. Defaults to 3.

cleanupJobs.updateRequests.ttlSecondsAfterFinishedπŸ“œ

Type: string

Default value
""

Description: Time until the pod from the cronjob is deleted

cleanupJobs.updateRequests.image.registryπŸ“œ

Type: string

Default value
"registry1.dso.mil"

Description: Image registry

cleanupJobs.updateRequests.image.repositoryπŸ“œ

Type: string

Default value
"ironbank/opensource/kubernetes/kubectl"

Description: Image repository

cleanupJobs.updateRequests.image.tagπŸ“œ

Type: string

Default value
"v1.30.5"

Description: Image tag Defaults to latest if omitted

cleanupJobs.updateRequests.image.pullPolicyπŸ“œ

Type: string

Default value
nil

Description: Image pull policy Defaults to image.pullPolicy if omitted

cleanupJobs.updateRequests.imagePullSecretsπŸ“œ

Type: list

Default value
- name: private-registry

Description: Image pull secrets

cleanupJobs.updateRequests.scheduleπŸ“œ

Type: string

Default value
"*/10 * * * *"

Description: Cronjob schedule

cleanupJobs.updateRequests.thresholdπŸ“œ

Type: int

Default value
10000

Description: Reports threshold, if number of updateRequests are above this value the cronjob will start deleting them

cleanupJobs.updateRequests.historyπŸ“œ

Type: object

Default value
failure: 1
success: 1

Description: Cronjob history

cleanupJobs.updateRequests.podSecurityContextπŸ“œ

Type: object

Default value
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000

Description: Security context for the pod

cleanupJobs.updateRequests.securityContextπŸ“œ

Type: object

Default value
allowPrivilegeEscalation: false
capabilities:
  drop:
  - ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
  type: RuntimeDefault

Description: Security context for the containers

cleanupJobs.updateRequests.priorityClassNameπŸ“œ

Type: string

Default value
""

Description: Pod PriorityClassName

cleanupJobs.updateRequests.resourcesπŸ“œ

Type: object

Default value
{}

Description: Job resources

cleanupJobs.updateRequests.tolerationsπŸ“œ

Type: list

Default value
[]

Description: List of node taints to tolerate

cleanupJobs.updateRequests.nodeSelectorπŸ“œ

Type: object

Default value
{}

Description: Node labels for pod assignment

cleanupJobs.updateRequests.podAnnotationsπŸ“œ

Type: object

Default value
{}

Description: Pod Annotations

cleanupJobs.updateRequests.podLabelsπŸ“œ

Type: object

Default value
{}

Description: Pod labels

cleanupJobs.updateRequests.podAntiAffinityπŸ“œ

Type: object

Default value
{}

Description: Pod anti affinity constraints.

cleanupJobs.updateRequests.podAffinityπŸ“œ

Type: object

Default value
{}

Description: Pod affinity constraints.

cleanupJobs.updateRequests.nodeAffinityπŸ“œ

Type: object

Default value
{}

Description: Node affinity constraints.

cleanupJobs.ephemeralReports.enabledπŸ“œ

Type: bool

Default value
true

Description: Enable cleanup cronjob

cleanupJobs.ephemeralReports.automountServiceAccountToken.enabledπŸ“œ

Type: bool

Default value
true

cleanupJobs.ephemeralReports.backoffLimitπŸ“œ

Type: int

Default value
3

Description: Maximum number of retries before considering a Job as failed. Defaults to 3.

cleanupJobs.ephemeralReports.ttlSecondsAfterFinishedπŸ“œ

Type: string

Default value
""

Description: Time until the pod from the cronjob is deleted

cleanupJobs.ephemeralReports.image.registryπŸ“œ

Type: string

Default value
"registry1.dso.mil"

Description: Image registry

cleanupJobs.ephemeralReports.image.repositoryπŸ“œ

Type: string

Default value
"ironbank/opensource/kubernetes/kubectl"

Description: Image repository

cleanupJobs.ephemeralReports.image.tagπŸ“œ

Type: string

Default value
"v1.30.5"

Description: Image tag Defaults to latest if omitted

cleanupJobs.ephemeralReports.image.pullPolicyπŸ“œ

Type: string

Default value
nil

Description: Image pull policy Defaults to image.pullPolicy if omitted

cleanupJobs.ephemeralReports.imagePullSecretsπŸ“œ

Type: list

Default value
- name: private-registry

Description: Image pull secrets

cleanupJobs.ephemeralReports.scheduleπŸ“œ

Type: string

Default value
"*/10 * * * *"

Description: Cronjob schedule

cleanupJobs.ephemeralReports.thresholdπŸ“œ

Type: int

Default value
10000

Description: Reports threshold, if number of updateRequests are above this value the cronjob will start deleting them

cleanupJobs.ephemeralReports.historyπŸ“œ

Type: object

Default value
failure: 1
success: 1

Description: Cronjob history

cleanupJobs.ephemeralReports.podSecurityContextπŸ“œ

Type: object

Default value
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001

Description: Security context for the pod

cleanupJobs.ephemeralReports.securityContextπŸ“œ

Type: object

Default value
allowPrivilegeEscalation: false
capabilities:
  drop:
  - ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
  type: RuntimeDefault

Description: Security context for the containers

cleanupJobs.ephemeralReports.priorityClassNameπŸ“œ

Type: string

Default value
""

Description: Pod PriorityClassName

cleanupJobs.ephemeralReports.resourcesπŸ“œ

Type: object

Default value
{}

Description: Job resources

cleanupJobs.ephemeralReports.tolerationsπŸ“œ

Type: list

Default value
[]

Description: List of node taints to tolerate

cleanupJobs.ephemeralReports.nodeSelectorπŸ“œ

Type: object

Default value
{}

Description: Node labels for pod assignment

cleanupJobs.ephemeralReports.podAnnotationsπŸ“œ

Type: object

Default value
{}

Description: Pod Annotations

cleanupJobs.ephemeralReports.podLabelsπŸ“œ

Type: object

Default value
{}

Description: Pod labels

cleanupJobs.ephemeralReports.podAntiAffinityπŸ“œ

Type: object

Default value
{}

Description: Pod anti affinity constraints.

cleanupJobs.ephemeralReports.podAffinityπŸ“œ

Type: object

Default value
{}

Description: Pod affinity constraints.

cleanupJobs.ephemeralReports.nodeAffinityπŸ“œ

Type: object

Default value
{}

Description: Node affinity constraints.

cleanupJobs.clusterEphemeralReports.enabledπŸ“œ

Type: bool

Default value
true

Description: Enable cleanup cronjob

cleanupJobs.clusterEphemeralReports.automountServiceAccountToken.enabledπŸ“œ

Type: bool

Default value
true

cleanupJobs.clusterEphemeralReports.backoffLimitπŸ“œ

Type: int

Default value
3

Description: Maximum number of retries before considering a Job as failed. Defaults to 3.

cleanupJobs.clusterEphemeralReports.ttlSecondsAfterFinishedπŸ“œ

Type: string

Default value
""

Description: Time until the pod from the cronjob is deleted

cleanupJobs.clusterEphemeralReports.image.registryπŸ“œ

Type: string

Default value
"registry1.dso.mil"

Description: Image registry

cleanupJobs.clusterEphemeralReports.image.repositoryπŸ“œ

Type: string

Default value
"ironbank/opensource/kubernetes/kubectl"

Description: Image repository

cleanupJobs.clusterEphemeralReports.image.tagπŸ“œ

Type: string

Default value
"v1.30.5"

Description: Image tag Defaults to latest if omitted

cleanupJobs.clusterEphemeralReports.image.pullPolicyπŸ“œ

Type: string

Default value
nil

Description: Image pull policy Defaults to image.pullPolicy if omitted

cleanupJobs.clusterEphemeralReports.imagePullSecretsπŸ“œ

Type: list

Default value
- name: private-registry

Description: Image pull secrets

cleanupJobs.clusterEphemeralReports.scheduleπŸ“œ

Type: string

Default value
"*/10 * * * *"

Description: Cronjob schedule

cleanupJobs.clusterEphemeralReports.thresholdπŸ“œ

Type: int

Default value
10000

Description: Reports threshold, if number of reports are above this value the cronjob will start deleting them

cleanupJobs.clusterEphemeralReports.historyπŸ“œ

Type: object

Default value
failure: 1
success: 1

Description: Cronjob history

cleanupJobs.clusterEphemeralReports.podSecurityContextπŸ“œ

Type: object

Default value
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001

Description: Security context for the pod

cleanupJobs.clusterEphemeralReports.securityContextπŸ“œ

Type: object

Default value
allowPrivilegeEscalation: false
capabilities:
  drop:
  - ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
  type: RuntimeDefault

Description: Security context for the containers

cleanupJobs.clusterEphemeralReports.priorityClassNameπŸ“œ

Type: string

Default value
""

Description: Pod PriorityClassName

cleanupJobs.clusterEphemeralReports.resourcesπŸ“œ

Type: object

Default value
{}

Description: Job resources

cleanupJobs.clusterEphemeralReports.tolerationsπŸ“œ

Type: list

Default value
[]

Description: List of node taints to tolerate

cleanupJobs.clusterEphemeralReports.nodeSelectorπŸ“œ

Type: object

Default value
{}

Description: Node labels for pod assignment

cleanupJobs.clusterEphemeralReports.podAnnotationsπŸ“œ

Type: object

Default value
{}

Description: Pod Annotations

cleanupJobs.clusterEphemeralReports.podLabelsπŸ“œ

Type: object

Default value
{}

Description: Pod Labels

cleanupJobs.clusterEphemeralReports.podAntiAffinityπŸ“œ

Type: object

Default value
{}

Description: Pod anti affinity constraints.

cleanupJobs.clusterEphemeralReports.podAffinityπŸ“œ

Type: object

Default value
{}

Description: Pod affinity constraints.

cleanupJobs.clusterEphemeralReports.nodeAffinityπŸ“œ

Type: object

Default value
{}

Description: Node affinity constraints.

admissionController.featuresOverrideπŸ“œ

Type: object

Default value
admissionReports:
  backPressureThreshold: 1000

Description: Overrides features defined at the root level

admissionController.featuresOverride.admissionReports.backPressureThresholdπŸ“œ

Type: int

Default value
1000

Description: Max number of admission reports allowed in flight until the admission controller stops creating new ones

admissionController.rbac.createπŸ“œ

Type: bool

Default value
true

Description: Create RBAC resources

admissionController.rbac.serviceAccount.nameπŸ“œ

Type: string

Default value
nil

Description: The ServiceAccount name

admissionController.rbac.serviceAccount.annotationsπŸ“œ

Type: object

Default value
{}

Description: Annotations for the ServiceAccount

admissionController.rbac.serviceAccount.automountServiceAccountToken.enabledπŸ“œ

Type: bool

Default value
false

admissionController.rbac.deployment.automountServiceAccountToken.enabledπŸ“œ

Type: bool

Default value
true

admissionController.rbac.clusterRole.extraResourcesπŸ“œ

Type: list

Default value
[]

Description: Extra resource permissions to add in the cluster role

admissionController.createSelfSignedCertπŸ“œ

Type: bool

Default value
false

Description: Create self-signed certificates at deployment time. The certificates won’t be automatically renewed if this is set to true.

admissionController.replicasπŸ“œ

Type: int

Default value
3

Description: Desired number of pods

admissionController.podLabelsπŸ“œ

Type: object

Default value
{}

Description: Additional labels to add to each pod

admissionController.podAnnotationsπŸ“œ

Type: object

Default value
{}

Description: Additional annotations to add to each pod

admissionController.priorityClassNameπŸ“œ

Type: string

Default value
""

Description: Optional priority class

admissionController.apiPriorityAndFairnessπŸ“œ

Type: bool

Default value
false

Description: Change apiPriorityAndFairness to true if you want to insulate the API calls made by Kyverno admission controller activities. This will help ensure Kyverno stability in busy clusters. Ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/

admissionController.hostNetworkπŸ“œ

Type: bool

Default value
false

Description: Change hostNetwork to true when you want the pod to share its host’s network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the dnsPolicy accordingly as well to suit the host network mode.

admissionController.webhookServerπŸ“œ

Type: object

Default value
port: 9443

Description: admissionController webhook server port in case you are using hostNetwork: true, you might want to change the port the webhookServer is listening to

admissionController.dnsPolicyπŸ“œ

Type: string

Default value
"ClusterFirst"

Description: dnsPolicy determines the manner in which DNS resolution happens in the cluster. In case of hostNetwork: true, usually, the dnsPolicy is suitable to be ClusterFirstWithHostNet. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.

admissionController.nodeSelectorπŸ“œ

Type: object

Default value
{}

Description: Node labels for pod assignment

admissionController.tolerationsπŸ“œ

Type: list

Default value
[]

Description: List of node taints to tolerate

admissionController.antiAffinity.enabledπŸ“œ

Type: bool

Default value
true

Description: Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node.

admissionController.podAffinityπŸ“œ

Type: object

Default value
{}

Description: Pod affinity constraints.

admissionController.nodeAffinityπŸ“œ

Type: object

Default value
{}

Description: Node affinity constraints.

admissionController.topologySpreadConstraintsπŸ“œ

Type: list

Default value
[]

Description: Topology spread constraints.

admissionController.podSecurityContextπŸ“œ

Type: object

Default value
runAsGroup: 10001
runAsNonRoot: true
runAsUser: 10001

Description: Security context for the pod

admissionController.podDisruptionBudget.enabledπŸ“œ

Type: bool

Default value
false

Description: Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.

admissionController.podDisruptionBudget.minAvailableπŸ“œ

Type: int

Default value
1

Description: Configures the minimum available pods for disruptions. Cannot be used if maxUnavailable is set.

admissionController.podDisruptionBudget.maxUnavailableπŸ“œ

Type: string

Default value
nil

Description: Configures the maximum unavailable pods for disruptions. Cannot be used if minAvailable is set.

admissionController.tufRootMountPathπŸ“œ

Type: string

Default value
"/.sigstore"

Description: A writable volume to use for the TUF root initialization.

admissionController.sigstoreVolumeπŸ“œ

Type: object

Default value
emptyDir: {}

Description: Volume to be mounted in pods for TUF/cosign work.

admissionController.caCertificates.dataπŸ“œ

Type: string

Default value
nil

Description: CA certificates to use with Kyverno deployments This value is expected to be one large string of CA certificates

admissionController.caCertificates.volumeπŸ“œ

Type: object

Default value
{}

Description: Volume to be mounted for CA certificates Not used when .Values.admissionController.caCertificates.data is defined

admissionController.imagePullSecretsπŸ“œ

Type: list

Default value
- name: private-registry

Description: Image pull secrets

admissionController.initContainer.image.registryπŸ“œ

Type: string

Default value
"registry1.dso.mil"

Description: Image registry

admissionController.initContainer.image.repositoryπŸ“œ

Type: string

Default value
"ironbank/opensource/kyverno/kyvernopre"

Description: Image repository

admissionController.initContainer.image.tagπŸ“œ

Type: string

Default value
"v1.12.6"

Description: Image tag If missing, defaults to image.tag

admissionController.initContainer.image.pullPolicyπŸ“œ

Type: string

Default value
nil

Description: Image pull policy If missing, defaults to image.pullPolicy

admissionController.initContainer.resources.limitsπŸ“œ

Type: object

Default value
cpu: 100m
memory: 256Mi

Description: Pod resource limits

admissionController.initContainer.resources.requestsπŸ“œ

Type: object

Default value
cpu: 10m
memory: 64Mi

Description: Pod resource requests

admissionController.initContainer.securityContextπŸ“œ

Type: object

Default value
allowPrivilegeEscalation: false
capabilities:
  drop:
  - ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 10001
runAsNonRoot: true
runAsUser: 10001
seccompProfile:
  type: RuntimeDefault

Description: Container security context

admissionController.initContainer.extraArgsπŸ“œ

Type: object

Default value
{}

Description: Additional container args.

admissionController.initContainer.extraEnvVarsπŸ“œ

Type: list

Default value
[]

Description: Additional container environment variables.

admissionController.container.image.registryπŸ“œ

Type: string

Default value
"registry1.dso.mil"

Description: Image registry

admissionController.container.image.repositoryπŸ“œ

Type: string

Default value
"ironbank/opensource/kyverno"

Description: Image repository

admissionController.container.image.tagπŸ“œ

Type: string

Default value
"v1.12.6"

Description: Image tag Defaults to appVersion in Chart.yaml if omitted

admissionController.container.image.pullPolicyπŸ“œ

Type: string

Default value
"IfNotPresent"

Description: Image pull policy

admissionController.container.imagePullSecretsπŸ“œ

Type: list

Default value
- name: private-registry

Description: Image pull secrets

admissionController.container.resources.limitsπŸ“œ

Type: object

Default value
cpu: 500m
memory: 512Mi

Description: Pod resource limits

admissionController.container.resources.requestsπŸ“œ

Type: object

Default value
cpu: 500m
memory: 512Mi

Description: Pod resource requests

admissionController.container.securityContextπŸ“œ

Type: object

Default value
allowPrivilegeEscalation: false
capabilities:
  drop:
  - ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 10001
runAsNonRoot: true
runAsUser: 10001
seccompProfile:
  type: RuntimeDefault

Description: Container security context

admissionController.container.extraArgsπŸ“œ

Type: object

Default value
{}

Description: Additional container args.

admissionController.container.extraEnvVarsπŸ“œ

Type: list

Default value
[]

Description: Additional container environment variables.

admissionController.extraInitContainersπŸ“œ

Type: list

Default value
[]

Description: Array of extra init containers

admissionController.extraContainersπŸ“œ

Type: list

Default value
[]

Description: Array of extra containers to run alongside kyverno

admissionController.service.portπŸ“œ

Type: int

Default value
443

Description: Service port.

admissionController.service.typeπŸ“œ

Type: string

Default value
"ClusterIP"

Description: Service type.

admissionController.service.nodePortπŸ“œ

Type: string

Default value
nil

Description: Service node port. Only used if type is NodePort.

admissionController.service.annotationsπŸ“œ

Type: object

Default value
{}

Description: Service annotations.

admissionController.metricsService.createπŸ“œ

Type: bool

Default value
true

Description: Create service.

admissionController.metricsService.portπŸ“œ

Type: int

Default value
8000

Description: Service port. Kyverno’s metrics server will be exposed at this port.

admissionController.metricsService.typeπŸ“œ

Type: string

Default value
"ClusterIP"

Description: Service type.

admissionController.metricsService.nodePortπŸ“œ

Type: string

Default value
nil

Description: Service node port. Only used if type is NodePort.

admissionController.metricsService.annotationsπŸ“œ

Type: object

Default value
{}

Description: Service annotations.

admissionController.networkPolicy.enabledπŸ“œ

Type: bool

Default value
false

Description: When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.

admissionController.networkPolicy.ingressFromπŸ“œ

Type: list

Default value
[]

Description: A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.

admissionController.serviceMonitor.enabledπŸ“œ

Type: bool

Default value
false

Description: Create a ServiceMonitor to collect Prometheus metrics.

admissionController.serviceMonitor.additionalLabelsπŸ“œ

Type: object

Default value
{}

Description: Additional labels

admissionController.serviceMonitor.namespaceπŸ“œ

Type: string

Default value
nil

Description: Override namespace

admissionController.serviceMonitor.intervalπŸ“œ

Type: string

Default value
"30s"

Description: Interval to scrape metrics

admissionController.serviceMonitor.scrapeTimeoutπŸ“œ

Type: string

Default value
"25s"

Description: Timeout if metrics can’t be retrieved in given time interval

admissionController.serviceMonitor.secureπŸ“œ

Type: bool

Default value
false

Description: Is TLS required for endpoint

admissionController.serviceMonitor.tlsConfigπŸ“œ

Type: object

Default value
{}

Description: TLS Configuration for endpoint

admissionController.serviceMonitor.relabelingsπŸ“œ

Type: list

Default value
[]

Description: RelabelConfigs to apply to samples before scraping

admissionController.serviceMonitor.metricRelabelingsπŸ“œ

Type: list

Default value
[]

Description: MetricRelabelConfigs to apply to samples before ingestion.

admissionController.tracing.enabledπŸ“œ

Type: bool

Default value
false

Description: Enable tracing

admissionController.tracing.addressπŸ“œ

Type: string

Default value
nil

Description: Traces receiver address

admissionController.tracing.portπŸ“œ

Type: string

Default value
nil

Description: Traces receiver port

admissionController.tracing.credsπŸ“œ

Type: string

Default value
""

Description: Traces receiver credentials

admissionController.metering.disabledπŸ“œ

Type: bool

Default value
false

Description: Disable metrics export

admissionController.metering.configπŸ“œ

Type: string

Default value
"prometheus"

Description: Otel configuration, can be prometheus or grpc

admissionController.metering.portπŸ“œ

Type: int

Default value
8000

Description: Prometheus endpoint port

admissionController.metering.collectorπŸ“œ

Type: string

Default value
""

Description: Otel collector endpoint

admissionController.metering.credsπŸ“œ

Type: string

Default value
""

Description: Otel collector credentials

admissionController.profiling.enabledπŸ“œ

Type: bool

Default value
false

Description: Enable profiling

admissionController.profiling.portπŸ“œ

Type: int

Default value
6060

Description: Profiling endpoint port

admissionController.profiling.serviceTypeπŸ“œ

Type: string

Default value
"ClusterIP"

Description: Service type.

admissionController.profiling.nodePortπŸ“œ

Type: string

Default value
nil

Description: Service node port. Only used if type is NodePort.

backgroundController.featuresOverrideπŸ“œ

Type: object

Default value
{}

Description: Overrides features defined at the root level

backgroundController.enabledπŸ“œ

Type: bool

Default value
true

Description: Enable background controller.

backgroundController.rbac.createπŸ“œ

Type: bool

Default value
true

Description: Create RBAC resources

backgroundController.rbac.serviceAccount.nameπŸ“œ

Type: string

Default value
nil

Description: Service account name

backgroundController.rbac.serviceAccount.annotationsπŸ“œ

Type: object

Default value
{}

Description: Annotations for the ServiceAccount

backgroundController.rbac.serviceAccount.automountServiceAccountToken.enabledπŸ“œ

Type: bool

Default value
false

backgroundController.rbac.deployment.automountServiceAccountToken.enabledπŸ“œ

Type: bool

Default value
true

backgroundController.rbac.clusterRole.extraResourcesπŸ“œ

Type: list

Default value
[]

Description: Extra resource permissions to add in the cluster role

backgroundController.image.registryπŸ“œ

Type: string

Default value
"registry1.dso.mil"

Description: Image registry

backgroundController.image.repositoryπŸ“œ

Type: string

Default value
"ironbank/opensource/kyverno/kyverno/background-controller"

Description: Image repository

backgroundController.image.tagπŸ“œ

Type: string

Default value
"v1.12.6"

Description: Image tag Defaults to appVersion in Chart.yaml if omitted

backgroundController.image.pullPolicyπŸ“œ

Type: string

Default value
"IfNotPresent"

Description: Image pull policy

backgroundController.imagePullSecretsπŸ“œ

Type: list

Default value
- name: private-registry

Description: Image pull secrets

backgroundController.replicasπŸ“œ

Type: int

Default value
nil

Description: Desired number of pods

backgroundController.revisionHistoryLimitπŸ“œ

Type: int

Default value
10

Description: The number of revisions to keep

backgroundController.podLabelsπŸ“œ

Type: object

Default value
{}

Description: Additional labels to add to each pod

backgroundController.podAnnotationsπŸ“œ

Type: object

Default value
{}

Description: Additional annotations to add to each pod

backgroundController.priorityClassNameπŸ“œ

Type: string

Default value
""

Description: Optional priority class

backgroundController.hostNetworkπŸ“œ

Type: bool

Default value
false

Description: Change hostNetwork to true when you want the pod to share its host’s network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the dnsPolicy accordingly as well to suit the host network mode.

backgroundController.dnsPolicyπŸ“œ

Type: string

Default value
"ClusterFirst"

Description: dnsPolicy determines the manner in which DNS resolution happens in the cluster. In case of hostNetwork: true, usually, the dnsPolicy is suitable to be ClusterFirstWithHostNet. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.

backgroundController.extraArgsπŸ“œ

Type: object

Default value
{}

Description: Extra arguments passed to the container on the command line

backgroundController.extraEnvVarsπŸ“œ

Type: list

Default value
[]

Description: Additional container environment variables.

backgroundController.resources.limitsπŸ“œ

Type: object

Default value
memory: 128Mi

Description: Pod resource limits

backgroundController.resources.requestsπŸ“œ

Type: object

Default value
cpu: 100m
memory: 64Mi

Description: Pod resource requests

backgroundController.nodeSelectorπŸ“œ

Type: object

Default value
{}

Description: Node labels for pod assignment

backgroundController.tolerationsπŸ“œ

Type: list

Default value
[]

Description: List of node taints to tolerate

backgroundController.antiAffinity.enabledπŸ“œ

Type: bool

Default value
true

Description: Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node.

backgroundController.podAffinityπŸ“œ

Type: object

Default value
{}

Description: Pod affinity constraints.

backgroundController.nodeAffinityπŸ“œ

Type: object

Default value
{}

Description: Node affinity constraints.

backgroundController.topologySpreadConstraintsπŸ“œ

Type: list

Default value
[]

Description: Topology spread constraints.

backgroundController.podSecurityContextπŸ“œ

Type: object

Default value
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000

Description: Security context for the pod

backgroundController.securityContextπŸ“œ

Type: object

Default value
allowPrivilegeEscalation: false
capabilities:
  drop:
  - ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
  type: RuntimeDefault

Description: Security context for the containers

backgroundController.podDisruptionBudget.enabledπŸ“œ

Type: bool

Default value
false

Description: Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.

backgroundController.podDisruptionBudget.minAvailableπŸ“œ

Type: int

Default value
1

Description: Configures the minimum available pods for disruptions. Cannot be used if maxUnavailable is set.

backgroundController.podDisruptionBudget.maxUnavailableπŸ“œ

Type: string

Default value
nil

Description: Configures the maximum unavailable pods for disruptions. Cannot be used if minAvailable is set.

backgroundController.caCertificates.dataπŸ“œ

Type: string

Default value
nil

Description: CA certificates to use with Kyverno deployments This value is expected to be one large string of CA certificates

backgroundController.caCertificates.volumeπŸ“œ

Type: object

Default value
{}

Description: Volume to be mounted for CA certificates Not used when .Values.backgroundController.caCertificates.data is defined

backgroundController.metricsService.createπŸ“œ

Type: bool

Default value
true

Description: Create service.

backgroundController.metricsService.portπŸ“œ

Type: int

Default value
8000

Description: Service port. Metrics server will be exposed at this port.

backgroundController.metricsService.typeπŸ“œ

Type: string

Default value
"ClusterIP"

Description: Service type.

backgroundController.metricsService.nodePortπŸ“œ

Type: string

Default value
nil

Description: Service node port. Only used if metricsService.type is NodePort.

backgroundController.metricsService.annotationsπŸ“œ

Type: object

Default value
{}

Description: Service annotations.

backgroundController.networkPolicy.enabledπŸ“œ

Type: bool

Default value
false

Description: When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.

backgroundController.networkPolicy.ingressFromπŸ“œ

Type: list

Default value
[]

Description: A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.

backgroundController.serviceMonitor.enabledπŸ“œ

Type: bool

Default value
false

Description: Create a ServiceMonitor to collect Prometheus metrics.

backgroundController.serviceMonitor.additionalLabelsπŸ“œ

Type: object

Default value
{}

Description: Additional labels

backgroundController.serviceMonitor.namespaceπŸ“œ

Type: string

Default value
nil

Description: Override namespace

backgroundController.serviceMonitor.intervalπŸ“œ

Type: string

Default value
"30s"

Description: Interval to scrape metrics

backgroundController.serviceMonitor.scrapeTimeoutπŸ“œ

Type: string

Default value
"25s"

Description: Timeout if metrics can’t be retrieved in given time interval

backgroundController.serviceMonitor.secureπŸ“œ

Type: bool

Default value
false

Description: Is TLS required for endpoint

backgroundController.serviceMonitor.tlsConfigπŸ“œ

Type: object

Default value
{}

Description: TLS Configuration for endpoint

backgroundController.serviceMonitor.relabelingsπŸ“œ

Type: list

Default value
[]

Description: RelabelConfigs to apply to samples before scraping

backgroundController.serviceMonitor.metricRelabelingsπŸ“œ

Type: list

Default value
[]

Description: MetricRelabelConfigs to apply to samples before ingestion.

backgroundController.tracing.enabledπŸ“œ

Type: bool

Default value
false

Description: Enable tracing

backgroundController.tracing.addressπŸ“œ

Type: string

Default value
nil

Description: Traces receiver address

backgroundController.tracing.portπŸ“œ

Type: string

Default value
nil

Description: Traces receiver port

backgroundController.tracing.credsπŸ“œ

Type: string

Default value
""

Description: Traces receiver credentials

backgroundController.metering.disabledπŸ“œ

Type: bool

Default value
false

Description: Disable metrics export

backgroundController.metering.configπŸ“œ

Type: string

Default value
"prometheus"

Description: Otel configuration, can be prometheus or grpc

backgroundController.metering.portπŸ“œ

Type: int

Default value
8000

Description: Prometheus endpoint port

backgroundController.metering.collectorπŸ“œ

Type: string

Default value
""

Description: Otel collector endpoint

backgroundController.metering.credsπŸ“œ

Type: string

Default value
""

Description: Otel collector credentials

backgroundController.profiling.enabledπŸ“œ

Type: bool

Default value
false

Description: Enable profiling

backgroundController.profiling.portπŸ“œ

Type: int

Default value
6060

Description: Profiling endpoint port

backgroundController.profiling.serviceTypeπŸ“œ

Type: string

Default value
"ClusterIP"

Description: Service type.

backgroundController.profiling.nodePortπŸ“œ

Type: string

Default value
nil

Description: Service node port. Only used if type is NodePort.

cleanupController.featuresOverrideπŸ“œ

Type: object

Default value
{}

Description: Overrides features defined at the root level

cleanupController.enabledπŸ“œ

Type: bool

Default value
true

Description: Enable cleanup controller.

cleanupController.rbac.createπŸ“œ

Type: bool

Default value
true

Description: Create RBAC resources

cleanupController.rbac.serviceAccount.nameπŸ“œ

Type: string

Default value
nil

Description: Service account name

cleanupController.rbac.serviceAccount.annotationsπŸ“œ

Type: object

Default value
{}

Description: Annotations for the ServiceAccount

cleanupController.rbac.serviceAccount.automountServiceAccountToken.enabledπŸ“œ

Type: bool

Default value
false

cleanupController.rbac.deployment.automountServiceAccountToken.enabledπŸ“œ

Type: bool

Default value
true

cleanupController.rbac.clusterRole.extraResourcesπŸ“œ

Type: list

Default value
[]

Description: Extra resource permissions to add in the cluster role

cleanupController.createSelfSignedCertπŸ“œ

Type: bool

Default value
false

Description: Create self-signed certificates at deployment time. The certificates won’t be automatically renewed if this is set to true.

cleanupController.image.registryπŸ“œ

Type: string

Default value
"registry1.dso.mil"

Description: Image registry

cleanupController.image.repositoryπŸ“œ

Type: string

Default value
"ironbank/opensource/kyverno/kyverno/cleanup-controller"

Description: Image repository

cleanupController.image.tagπŸ“œ

Type: string

Default value
"v1.12.6"

Description: Image tag Defaults to appVersion in Chart.yaml if omitted

cleanupController.image.pullPolicyπŸ“œ

Type: string

Default value
"IfNotPresent"

Description: Image pull policy

cleanupController.imagePullSecretsπŸ“œ

Type: list

Default value
- name: private-registry

Description: Image pull secrets

cleanupController.replicasπŸ“œ

Type: int

Default value
nil

Description: Desired number of pods

cleanupController.revisionHistoryLimitπŸ“œ

Type: int

Default value
10

Description: The number of revisions to keep

cleanupController.podLabelsπŸ“œ

Type: object

Default value
{}

Description: Additional labels to add to each pod

cleanupController.podAnnotationsπŸ“œ

Type: object

Default value
{}

Description: Additional annotations to add to each pod

cleanupController.priorityClassNameπŸ“œ

Type: string

Default value
""

Description: Optional priority class

cleanupController.hostNetworkπŸ“œ

Type: bool

Default value
false

Description: Change hostNetwork to true when you want the pod to share its host’s network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the dnsPolicy accordingly as well to suit the host network mode.

cleanupController.serverπŸ“œ

Type: object

Default value
port: 9443

Description: cleanupController server port in case you are using hostNetwork: true, you might want to change the port the cleanupController is listening to

cleanupController.webhookServerπŸ“œ

Type: object

Default value
port: 9443

Description: cleanupController webhook server port in case you are using hostNetwork: true, you might want to change the port the webhookServer is listening to

cleanupController.dnsPolicyπŸ“œ

Type: string

Default value
"ClusterFirst"

Description: dnsPolicy determines the manner in which DNS resolution happens in the cluster. In case of hostNetwork: true, usually, the dnsPolicy is suitable to be ClusterFirstWithHostNet. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.

cleanupController.extraArgsπŸ“œ

Type: object

Default value
{}

Description: Extra arguments passed to the container on the command line

cleanupController.extraEnvVarsπŸ“œ

Type: list

Default value
[]

Description: Additional container environment variables.

cleanupController.resources.limitsπŸ“œ

Type: object

Default value
memory: 128Mi

Description: Pod resource limits

cleanupController.resources.requestsπŸ“œ

Type: object

Default value
cpu: 100m
memory: 64Mi

Description: Pod resource requests

cleanupController.nodeSelectorπŸ“œ

Type: object

Default value
{}

Description: Node labels for pod assignment

cleanupController.tolerationsπŸ“œ

Type: list

Default value
[]

Description: List of node taints to tolerate

cleanupController.antiAffinity.enabledπŸ“œ

Type: bool

Default value
true

Description: Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node.

cleanupController.podAffinityπŸ“œ

Type: object

Default value
{}

Description: Pod affinity constraints.

cleanupController.nodeAffinityπŸ“œ

Type: object

Default value
{}

Description: Node affinity constraints.

cleanupController.topologySpreadConstraintsπŸ“œ

Type: list

Default value
[]

Description: Topology spread constraints.

cleanupController.podSecurityContextπŸ“œ

Type: object

Default value
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000

Description: Security context for the pod

cleanupController.securityContextπŸ“œ

Type: object

Default value
allowPrivilegeEscalation: false
capabilities:
  drop:
  - ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
  type: RuntimeDefault

Description: Security context for the containers

cleanupController.podDisruptionBudget.enabledπŸ“œ

Type: bool

Default value
false

Description: Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.

cleanupController.podDisruptionBudget.minAvailableπŸ“œ

Type: int

Default value
1

Description: Configures the minimum available pods for disruptions. Cannot be used if maxUnavailable is set.

cleanupController.podDisruptionBudget.maxUnavailableπŸ“œ

Type: string

Default value
nil

Description: Configures the maximum unavailable pods for disruptions. Cannot be used if minAvailable is set.

cleanupController.service.portπŸ“œ

Type: int

Default value
443

Description: Service port.

cleanupController.service.typeπŸ“œ

Type: string

Default value
"ClusterIP"

Description: Service type.

cleanupController.service.nodePortπŸ“œ

Type: string

Default value
nil

Description: Service node port. Only used if service.type is NodePort.

cleanupController.service.annotationsπŸ“œ

Type: object

Default value
{}

Description: Service annotations.

cleanupController.metricsService.createπŸ“œ

Type: bool

Default value
true

Description: Create service.

cleanupController.metricsService.portπŸ“œ

Type: int

Default value
8000

Description: Service port. Metrics server will be exposed at this port.

cleanupController.metricsService.typeπŸ“œ

Type: string

Default value
"ClusterIP"

Description: Service type.

cleanupController.metricsService.nodePortπŸ“œ

Type: string

Default value
nil

Description: Service node port. Only used if metricsService.type is NodePort.

cleanupController.metricsService.annotationsπŸ“œ

Type: object

Default value
{}

Description: Service annotations.

cleanupController.networkPolicy.enabledπŸ“œ

Type: bool

Default value
false

Description: When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.

cleanupController.networkPolicy.ingressFromπŸ“œ

Type: list

Default value
[]

Description: A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.

cleanupController.serviceMonitor.enabledπŸ“œ

Type: bool

Default value
false

Description: Create a ServiceMonitor to collect Prometheus metrics.

cleanupController.serviceMonitor.additionalLabelsπŸ“œ

Type: object

Default value
{}

Description: Additional labels

cleanupController.serviceMonitor.namespaceπŸ“œ

Type: string

Default value
nil

Description: Override namespace

cleanupController.serviceMonitor.intervalπŸ“œ

Type: string

Default value
"30s"

Description: Interval to scrape metrics

cleanupController.serviceMonitor.scrapeTimeoutπŸ“œ

Type: string

Default value
"25s"

Description: Timeout if metrics can’t be retrieved in given time interval

cleanupController.serviceMonitor.secureπŸ“œ

Type: bool

Default value
false

Description: Is TLS required for endpoint

cleanupController.serviceMonitor.tlsConfigπŸ“œ

Type: object

Default value
{}

Description: TLS Configuration for endpoint

cleanupController.serviceMonitor.relabelingsπŸ“œ

Type: list

Default value
[]

Description: RelabelConfigs to apply to samples before scraping

cleanupController.serviceMonitor.metricRelabelingsπŸ“œ

Type: list

Default value
[]

Description: MetricRelabelConfigs to apply to samples before ingestion.

cleanupController.tracing.enabledπŸ“œ

Type: bool

Default value
false

Description: Enable tracing

cleanupController.tracing.addressπŸ“œ

Type: string

Default value
nil

Description: Traces receiver address

cleanupController.tracing.portπŸ“œ

Type: string

Default value
nil

Description: Traces receiver port

cleanupController.tracing.credsπŸ“œ

Type: string

Default value
""

Description: Traces receiver credentials

cleanupController.metering.disabledπŸ“œ

Type: bool

Default value
false

Description: Disable metrics export

cleanupController.metering.configπŸ“œ

Type: string

Default value
"prometheus"

Description: Otel configuration, can be prometheus or grpc

cleanupController.metering.portπŸ“œ

Type: int

Default value
8000

Description: Prometheus endpoint port

cleanupController.metering.collectorπŸ“œ

Type: string

Default value
""

Description: Otel collector endpoint

cleanupController.metering.credsπŸ“œ

Type: string

Default value
""

Description: Otel collector credentials

cleanupController.profiling.enabledπŸ“œ

Type: bool

Default value
false

Description: Enable profiling

cleanupController.profiling.portπŸ“œ

Type: int

Default value
6060

Description: Profiling endpoint port

cleanupController.profiling.serviceTypeπŸ“œ

Type: string

Default value
"ClusterIP"

Description: Service type.

cleanupController.profiling.nodePortπŸ“œ

Type: string

Default value
nil

Description: Service node port. Only used if type is NodePort.

reportsController.featuresOverrideπŸ“œ

Type: object

Default value
{}

Description: Overrides features defined at the root level

reportsController.enabledπŸ“œ

Type: bool

Default value
true

Description: Enable reports controller.

reportsController.rbac.createπŸ“œ

Type: bool

Default value
true

Description: Create RBAC resources

reportsController.rbac.serviceAccount.nameπŸ“œ

Type: string

Default value
nil

Description: Service account name

reportsController.rbac.serviceAccount.annotationsπŸ“œ

Type: object

Default value
{}

Description: Annotations for the ServiceAccount

reportsController.rbac.serviceAccount.automountServiceAccountToken.enabledπŸ“œ

Type: bool

Default value
false

reportsController.rbac.deployment.automountServiceAccountToken.enabledπŸ“œ

Type: bool

Default value
true

reportsController.rbac.clusterRole.extraResourcesπŸ“œ

Type: list

Default value
[]

Description: Extra resource permissions to add in the cluster role

reportsController.image.registryπŸ“œ

Type: string

Default value
"registry1.dso.mil"

Description: Image registry

reportsController.image.repositoryπŸ“œ

Type: string

Default value
"ironbank/opensource/kyverno/kyverno/reports-controller"

Description: Image repository

reportsController.image.tagπŸ“œ

Type: string

Default value
"v1.12.6"

Description: Image tag Defaults to appVersion in Chart.yaml if omitted

reportsController.image.pullPolicyπŸ“œ

Type: string

Default value
"IfNotPresent"

Description: Image pull policy

reportsController.imagePullSecretsπŸ“œ

Type: list

Default value
- name: private-registry

Description: Image pull secrets

reportsController.replicasπŸ“œ

Type: int

Default value
nil

Description: Desired number of pods

reportsController.revisionHistoryLimitπŸ“œ

Type: int

Default value
10

Description: The number of revisions to keep

reportsController.podLabelsπŸ“œ

Type: object

Default value
{}

Description: Additional labels to add to each pod

reportsController.podAnnotationsπŸ“œ

Type: object

Default value
{}

Description: Additional annotations to add to each pod

reportsController.priorityClassNameπŸ“œ

Type: string

Default value
""

Description: Optional priority class

reportsController.apiPriorityAndFairnessπŸ“œ

Type: bool

Default value
false

Description: Change apiPriorityAndFairness to true if you want to insulate the API calls made by Kyverno reports controller activities. This will help ensure Kyverno reports stability in busy clusters. Ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/

reportsController.hostNetworkπŸ“œ

Type: bool

Default value
false

Description: Change hostNetwork to true when you want the pod to share its host’s network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the dnsPolicy accordingly as well to suit the host network mode.

reportsController.dnsPolicyπŸ“œ

Type: string

Default value
"ClusterFirst"

Description: dnsPolicy determines the manner in which DNS resolution happens in the cluster. In case of hostNetwork: true, usually, the dnsPolicy is suitable to be ClusterFirstWithHostNet. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.

reportsController.extraArgsπŸ“œ

Type: object

Default value
{}

Description: Extra arguments passed to the container on the command line

reportsController.extraEnvVarsπŸ“œ

Type: list

Default value
[]

Description: Additional container environment variables.

reportsController.resources.limitsπŸ“œ

Type: object

Default value
memory: 128Mi

Description: Pod resource limits

reportsController.resources.requestsπŸ“œ

Type: object

Default value
cpu: 100m
memory: 64Mi

Description: Pod resource requests

reportsController.nodeSelectorπŸ“œ

Type: object

Default value
{}

Description: Node labels for pod assignment

reportsController.tolerationsπŸ“œ

Type: list

Default value
[]

Description: List of node taints to tolerate

reportsController.antiAffinity.enabledπŸ“œ

Type: bool

Default value
true

Description: Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node.

reportsController.podAffinityπŸ“œ

Type: object

Default value
{}

Description: Pod affinity constraints.

reportsController.nodeAffinityπŸ“œ

Type: object

Default value
{}

Description: Node affinity constraints.

reportsController.topologySpreadConstraintsπŸ“œ

Type: list

Default value
[]

Description: Topology spread constraints.

reportsController.podSecurityContextπŸ“œ

Type: object

Default value
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000

Description: Security context for the pod

reportsController.securityContextπŸ“œ

Type: object

Default value
allowPrivilegeEscalation: false
capabilities:
  drop:
  - ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
  type: RuntimeDefault

Description: Security context for the containers

reportsController.podDisruptionBudget.enabledπŸ“œ

Type: bool

Default value
false

Description: Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.

reportsController.podDisruptionBudget.minAvailableπŸ“œ

Type: int

Default value
1

Description: Configures the minimum available pods for disruptions. Cannot be used if maxUnavailable is set.

reportsController.podDisruptionBudget.maxUnavailableπŸ“œ

Type: string

Default value
nil

Description: Configures the maximum unavailable pods for disruptions. Cannot be used if minAvailable is set.

reportsController.tufRootMountPathπŸ“œ

Type: string

Default value
"/.sigstore"

Description: A writable volume to use for the TUF root initialization.

reportsController.sigstoreVolumeπŸ“œ

Type: object

Default value
emptyDir: {}

Description: Volume to be mounted in pods for TUF/cosign work.

reportsController.caCertificates.dataπŸ“œ

Type: string

Default value
nil

Description: CA certificates to use with Kyverno deployments This value is expected to be one large string of CA certificates

reportsController.caCertificates.volumeπŸ“œ

Type: object

Default value
{}

Description: Volume to be mounted for CA certificates Not used when .Values.reportsController.caCertificates.data is defined

reportsController.metricsService.createπŸ“œ

Type: bool

Default value
true

Description: Create service.

reportsController.metricsService.portπŸ“œ

Type: int

Default value
8000

Description: Service port. Metrics server will be exposed at this port.

reportsController.metricsService.typeπŸ“œ

Type: string

Default value
"ClusterIP"

Description: Service type.

reportsController.metricsService.nodePortπŸ“œ

Type: string

Default value
nil

Description: Service node port. Only used if type is NodePort.

reportsController.metricsService.annotationsπŸ“œ

Type: object

Default value
{}

Description: Service annotations.

reportsController.networkPolicy.enabledπŸ“œ

Type: bool

Default value
false

Description: When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.

reportsController.networkPolicy.ingressFromπŸ“œ

Type: list

Default value
[]

Description: A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.

reportsController.serviceMonitor.enabledπŸ“œ

Type: bool

Default value
false

Description: Create a ServiceMonitor to collect Prometheus metrics.

reportsController.serviceMonitor.additionalLabelsπŸ“œ

Type: object

Default value
{}

Description: Additional labels

reportsController.serviceMonitor.namespaceπŸ“œ

Type: string

Default value
nil

Description: Override namespace

reportsController.serviceMonitor.intervalπŸ“œ

Type: string

Default value
"30s"

Description: Interval to scrape metrics

reportsController.serviceMonitor.scrapeTimeoutπŸ“œ

Type: string

Default value
"25s"

Description: Timeout if metrics can’t be retrieved in given time interval

reportsController.serviceMonitor.secureπŸ“œ

Type: bool

Default value
false

Description: Is TLS required for endpoint

reportsController.serviceMonitor.tlsConfigπŸ“œ

Type: object

Default value
{}

Description: TLS Configuration for endpoint

reportsController.serviceMonitor.relabelingsπŸ“œ

Type: list

Default value
[]

Description: RelabelConfigs to apply to samples before scraping

reportsController.serviceMonitor.metricRelabelingsπŸ“œ

Type: list

Default value
[]

Description: MetricRelabelConfigs to apply to samples before ingestion.

reportsController.tracing.enabledπŸ“œ

Type: bool

Default value
false

Description: Enable tracing

reportsController.tracing.addressπŸ“œ

Type: string

Default value
nil

Description: Traces receiver address

reportsController.tracing.portπŸ“œ

Type: string

Default value
nil

Description: Traces receiver port

reportsController.tracing.credsπŸ“œ

Type: string

Default value
nil

Description: Traces receiver credentials

reportsController.metering.disabledπŸ“œ

Type: bool

Default value
false

Description: Disable metrics export

reportsController.metering.configπŸ“œ

Type: string

Default value
"prometheus"

Description: Otel configuration, can be prometheus or grpc

reportsController.metering.portπŸ“œ

Type: int

Default value
8000

Description: Prometheus endpoint port

reportsController.metering.collectorπŸ“œ

Type: string

Default value
nil

Description: Otel collector endpoint

reportsController.metering.credsπŸ“œ

Type: string

Default value
nil

Description: Otel collector credentials

reportsController.profiling.enabledπŸ“œ

Type: bool

Default value
false

Description: Enable profiling

reportsController.profiling.portπŸ“œ

Type: int

Default value
6060

Description: Profiling endpoint port

reportsController.profiling.serviceTypeπŸ“œ

Type: string

Default value
"ClusterIP"

Description: Service type.

reportsController.profiling.nodePortπŸ“œ

Type: string

Default value
nil

Description: Service node port. Only used if type is NodePort.

networkPolicies.enabledπŸ“œ

Type: bool

Default value
false

networkPolicies.controlPlaneCidrπŸ“œ

Type: string

Default value
"0.0.0.0/0"

networkPolicies.externalRegistries.allowEgressπŸ“œ

Type: bool

Default value
false

networkPolicies.externalRegistries.portsπŸ“œ

Type: list

Default value
[]

networkPolicies.allowExternalRegistryEgressπŸ“œ

Type: bool

Default value
false

networkPolicies.additionalPoliciesπŸ“œ

Type: list

Default value
[]

istio.enabledπŸ“œ

Type: bool

Default value
false

openshiftπŸ“œ

Type: bool

Default value
false

bbtests.enabledπŸ“œ

Type: bool

Default value
false

bbtests.scripts.imageπŸ“œ

Type: string

Default value
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.5"

bbtests.scripts.additionalVolumeMounts[0].nameπŸ“œ

Type: string

Default value
"kyverno-bbtest-manifest"

bbtests.scripts.additionalVolumeMounts[0].mountPathπŸ“œ

Type: string

Default value
"/yaml"

bbtests.scripts.additionalVolumes[0].nameπŸ“œ

Type: string

Default value
"kyverno-bbtest-manifest"

bbtests.scripts.additionalVolumes[0].configMap.nameπŸ“œ

Type: string

Default value
"kyverno-bbtest-manifest"