kyverno values.yamlπ£
templatingπ£
Type: object
{"debug":false,"enabled":false,"version":null}
Default value (formatted)
{
"debug": false,
"enabled": false,
"version": null
}
Description: Internal settings used with helm template to generate install manifest @ignored
nameOverrideπ£
Type: string
nil
Description: Override the name of the chart
fullnameOverrideπ£
Type: string
nil
Description: Override the expanded name of the chart
namespaceπ£
Type: string
nil
Description: Namespace the chart deploys to
customLabelsπ£
Type: object
{}
Default value (formatted)
{}
Description: Additional labels
rbac.createπ£
Type: bool
true
Description: Create ClusterRoles, ClusterRoleBindings, and ServiceAccount
rbac.serviceAccount.createπ£
Type: bool
true
Description: Create a ServiceAccount
rbac.serviceAccount.nameπ£
Type: string
nil
Description: The ServiceAccount name
rbac.serviceAccount.annotationsπ£
Type: object
{}
Default value (formatted)
{}
Description: Annotations for the ServiceAccount
image.registryπ£
Type: string
nil
Description: Image registry
image.repositoryπ£
Type: string
"registry1.dso.mil/ironbank/nirmata/kyverno"
Description: Image repository
image.tagπ£
Type: string
nil
Description: Image tag Defaults to appVersion in Chart.yaml if omitted
image.pullPolicyπ£
Type: string
"IfNotPresent"
Description: Image pull policy
image.pullSecretsπ£
Type: list
[]
Default value (formatted)
[]
Description: Image pull secrets
initImage.registryπ£
Type: string
nil
Description: Image registry
initImage.repositoryπ£
Type: string
"registry1.dso.mil/ironbank/nirmata/kyvernopre"
Description: Image repository
initImage.tagπ£
Type: string
nil
Description: Image tag If initImage.tag is missing, defaults to image.tag
initImage.pullPolicyπ£
Type: string
nil
Description: Image pull policy If initImage.pullPolicy is missing, defaults to image.pullPolicy
initContainer.extraArgsπ£
Type: list
["--loggingFormat=text"]
Default value (formatted)
[
"--loggingFormat=text"
]
Description: Extra arguments to give to the kyvernopre binary.
testImage.registryπ£
Type: string
nil
Description: Image registry
testImage.repositoryπ£
Type: string
"registry1.dso.mil/ironbank/redhat/ubi/ubi8-minimal"
Description: Image repository Defaults to busybox if omitted
testImage.tagπ£
Type: float
8.7
Description: Image tag Defaults to latest if omitted
testImage.pullPolicyπ£
Type: string
nil
Description: Image pull policy Defaults to image.pullPolicy if omitted
replicaCountπ£
Type: int
1
Description: Desired number of pods
podLabelsπ£
Type: object
{}
Default value (formatted)
{}
Description: Additional labels to add to each pod
podAnnotationsπ£
Type: object
{}
Default value (formatted)
{}
Description: Additional annotations to add to each pod
podSecurityContextπ£
Type: object
{}
Default value (formatted)
{}
Description: Security context for the pod
securityContextπ£
Type: object
{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}
Default value (formatted)
{
"allowPrivilegeEscalation": false,
"capabilities": {
"drop": [
"ALL"
]
},
"privileged": false,
"readOnlyRootFilesystem": true,
"runAsNonRoot": true,
"seccompProfile": {
"type": "RuntimeDefault"
}
}
Description: Security context for the containers
testSecurityContextπ£
Type: object
{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}
Default value (formatted)
{
"allowPrivilegeEscalation": false,
"capabilities": {
"drop": [
"ALL"
]
},
"privileged": false,
"readOnlyRootFilesystem": true,
"runAsGroup": 65534,
"runAsNonRoot": true,
"runAsUser": 65534,
"seccompProfile": {
"type": "RuntimeDefault"
}
}
Description: Security context for the test containers
priorityClassNameπ£
Type: string
""
Description: Optional priority class to be used for kyverno pods
antiAffinity.enableπ£
Type: bool
true
Description: Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node.
podAffinityπ£
Type: object
{}
Default value (formatted)
{}
Description: Pod affinity constraints.
nodeAffinityπ£
Type: object
{}
Default value (formatted)
{}
Description: Node affinity constraints.
podDisruptionBudget.minAvailableπ£
Type: int
1
Description: Configures the minimum available pods for kyverno disruptions. Cannot be used if maxUnavailable is set.
podDisruptionBudget.maxUnavailableπ£
Type: string
nil
Description: Configures the maximum unavailable pods for kyverno disruptions. Cannot be used if minAvailable is set.
nodeSelectorπ£
Type: object
{}
Default value (formatted)
{}
Description: Node labels for pod assignment
tolerationsπ£
Type: list
[]
Default value (formatted)
[]
Description: List of node taints to tolerate
hostNetworkπ£
Type: bool
false
Description: Change hostNetwork to true when you want the kyvernoβs pod to share its hostβs network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the dnsPolicy accordingly as well to suit the host network mode.
dnsPolicyπ£
Type: string
"ClusterFirst"
Description: dnsPolicy determines the manner in which DNS resolution happens in the cluster. In case of hostNetwork: true, usually, the dnsPolicy is suitable to be ClusterFirstWithHostNet. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
envVarsInitπ£
Type: object
{}
Default value (formatted)
{}
Description: Env variables for initContainers.
envVarsπ£
Type: object
{}
Default value (formatted)
{}
Description: Env variables for containers.
extraArgsπ£
Type: list
["--clientRateLimitQPS=25","--clientRateLimitBurst=50","--autogenInternals=false","--loggingFormat=text","--exceptionNamespace={{ include \"kyverno.namespace\" . }}"]
Default value (formatted)
[
"--clientRateLimitQPS=25",
"--clientRateLimitBurst=50",
"--autogenInternals=false",
"--loggingFormat=text",
"--exceptionNamespace={{ include \"kyverno.namespace\" . }}"
]
Description: Extra arguments to give to the binary.
extraInitContainersπ£
Type: list
[]
Default value (formatted)
[]
Description: Array of extra init containers
extraContainersπ£
Type: list
[]
Default value (formatted)
[]
Description: Array of extra containers to run alongside kyverno
imagePullSecretsπ£
Type: object
{}
Default value (formatted)
{}
Description: Image pull secrets for image verify and imageData policies. This will define the --imagePullSecrets Kyverno argument.
existingImagePullSecretsπ£
Type: list
["private-registry"]
Default value (formatted)
[
"private-registry"
]
Description: Existing Image pull secrets for image verify and imageData policies. This will define the --imagePullSecrets Kyverno argument.
resources.limitsπ£
Type: object
{"cpu":"500m","memory":"512Mi"}
Default value (formatted)
{
"cpu": "500m",
"memory": "512Mi"
}
Description: Pod resource limits
resources.requestsπ£
Type: object
{"cpu":"500m","memory":"512Mi"}
Default value (formatted)
{
"cpu": "500m",
"memory": "512Mi"
}
Description: Pod resource requests
initResources.limitsπ£
Type: object
{"cpu":"100m","memory":"256Mi"}
Default value (formatted)
{
"cpu": "100m",
"memory": "256Mi"
}
Description: Pod resource limits
initResources.requestsπ£
Type: object
{"cpu":"100m","memory":"256Mi"}
Default value (formatted)
{
"cpu": "100m",
"memory": "256Mi"
}
Description: Pod resource requests
testResources.limitsπ£
Type: object
{"cpu":"100m","memory":"256Mi"}
Default value (formatted)
{
"cpu": "100m",
"memory": "256Mi"
}
Description: Pod resource limits
testResources.requestsπ£
Type: object
{"cpu":"10m","memory":"64Mi"}
Default value (formatted)
{
"cpu": "10m",
"memory": "64Mi"
}
Description: Pod resource requests
generatecontrollerExtraResourcesπ£
Type: list
[]
Default value (formatted)
[]
Description: Additional resources to be added to controller RBAC permissions.
excludeKyvernoNamespaceπ£
Type: bool
true
Description: Exclude Kyverno namespace Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters
resourceFiltersExcludeNamespacesπ£
Type: list
[]
Default value (formatted)
[]
Description: resourceFilter namespace exclude Namespaces to exclude from the default resourceFilters
config.existingConfigπ£
Type: string
""
Description: Name of an existing config map (ignores default/provided resourceFilters)
config.annotationsπ£
Type: object
{}
Default value (formatted)
{}
Description: Additional annotations to add to the configmap
config.excludeGroupRoleπ£
Type: string
nil
Description: Exclude group role
config.excludeUsernameπ£
Type: string
nil
Description: Exclude username
config.webhooksπ£
Type: string
nil
Description: Defines the namespaceSelector in the webhook configurations. Note that it takes a list of namespaceSelector and/or objectSelector in the JSON format, and only the first element will be forwarded to the webhook configurations. The Kyverno namespace is excluded if excludeKyvernoNamespace is true (default)
config.generateSuccessEventsπ£
Type: bool
false
Description: Generate success events.
config.metricsConfigπ£
Type: object
{"annotations":{},"namespaces":{"exclude":[],"include":[]}}
Default value (formatted)
{
"annotations": {},
"namespaces": {
"exclude": [],
"include": []
}
}
Description: Metrics config.
config.metricsConfig.annotationsπ£
Type: object
{}
Default value (formatted)
{}
Description: Additional annotations to add to the metricsconfigmap
service.portπ£
Type: int
443
Description: Service port.
service.typeπ£
Type: string
"ClusterIP"
Description: Service type.
service.nodePortπ£
Type: string
nil
Description: Service node port. Only used if service.type is NodePort.
service.annotationsπ£
Type: object
{}
Default value (formatted)
{}
Description: Service annotations.
topologySpreadConstraintsπ£
Type: list
[]
Default value (formatted)
[]
Description: Topology spread constraints.
metricsService.createπ£
Type: bool
true
Description: Create service.
metricsService.portπ£
Type: int
8000
Description: Service port. Kyvernoβs metrics server will be exposed at this port.
metricsService.typeπ£
Type: string
"ClusterIP"
Description: Service type.
metricsService.nodePortπ£
Type: string
nil
Description: Service node port. Only used if metricsService.type is NodePort.
metricsService.annotationsπ£
Type: object
{}
Default value (formatted)
{}
Description: Service annotations.
serviceMonitor.enabledπ£
Type: bool
false
Description: Create a ServiceMonitor to collect Prometheus metrics.
serviceMonitor.additionalLabelsπ£
Type: string
nil
Description: Additional labels
serviceMonitor.namespaceπ£
Type: string
nil
Description: Override namespace (default is the same as kyverno)
serviceMonitor.intervalπ£
Type: string
"30s"
Description: Interval to scrape metrics
serviceMonitor.scrapeTimeoutπ£
Type: string
"25s"
Description: Timeout if metrics canβt be retrieved in given time interval
serviceMonitor.secureπ£
Type: bool
false
Description: Is TLS required for endpoint
serviceMonitor.tlsConfigπ£
Type: object
{}
Default value (formatted)
{}
Description: TLS Configuration for endpoint
serviceMonitor.dashboards.namespaceπ£
Type: string
nil
serviceMonitor.dashboards.labelπ£
Type: string
"grafana_dashboard"
createSelfSignedCertπ£
Type: bool
false
Description: Kyverno requires a certificate key pair and corresponding certificate authority to properly register its webhooks. This can be done in one of 3 ways: 1) Use kube-controller-manager to generate a CA-signed certificate (preferred) 2) Provide your own CA and cert. In this case, you will need to create a certificate with a specific name and data structure. As long as you follow the naming scheme, it will be automatically picked up. kyverno-svc.(namespace).svc.kyverno-tls-ca (with data entries named tls.key and tls.crt) kyverno-svc.kyverno.svc.kyverno-tls-pair (with data entries named tls.key and tls.crt) 3) Let Helm generate a self signed cert, by setting createSelfSignedCert true If letting Kyverno create its own CA or providing your own, make createSelfSignedCert is false
installCRDsπ£
Type: bool
true
Description: Whether to have Helm install the Kyverno CRDs. If the CRDs are not installed by Helm, they must be added before policies can be created.
crds.annotationsπ£
Type: object
{}
Default value (formatted)
{}
Description: Additional CRDs annotations.
networkPolicy.enabledπ£
Type: bool
false
Description: When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
networkPolicy.ingressFromπ£
Type: list
[]
Default value (formatted)
[]
Description: A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
webhooksCleanup.enableπ£
Type: bool
false
Description: Create a helm pre-delete hook to cleanup webhooks.
webhooksCleanup.imageπ£
Type: string
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.26.4"
Description: kubectl image to run commands for deleting webhooks.
tufRootMountPathπ£
Type: string
"/.sigstore"
Description: A writable volume to use for the TUF root initialization.
registriesπ£
Type: object
{"ports":[{"port":443,"protocol":"TCP"}]}
Default value (formatted)
{
"ports": [
{
"port": 443,
"protocol": "TCP"
}
]
}
Description: A list of registry ports to be accepted
networkPolicies.enabledπ£
Type: bool
false
networkPolicies.controlPlaneCidrπ£
Type: string
"0.0.0.0/0"
istio.enabledπ£
Type: bool
false
openshiftπ£
Type: bool
false
bbtests.enabledπ£
Type: bool
false
bbtests.scripts.imageπ£
Type: string
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.26.4"
bbtests.scripts.additionalVolumeMounts[0].nameπ£
Type: string
"kyverno-bbtest-manifest"
bbtests.scripts.additionalVolumeMounts[0].mountPathπ£
Type: string
"/yaml"
bbtests.scripts.additionalVolumes[0].nameπ£
Type: string
"kyverno-bbtest-manifest"
bbtests.scripts.additionalVolumes[0].configMap.nameπ£
Type: string
"kyverno-bbtest-manifest"
grafana.enabledπ£
Type: bool
false
Description: Enable grafana dashboard creation.
grafana.namespaceπ£
Type: string
nil
Description: Namespace to create the grafana dashboard configmap. If not set, it will be created in the same namespace where the chart is deployed.
grafana.annotationsπ£
Type: object
{}
Default value (formatted)
{}
Description: Grafana dashboard configmap annotations.
cleanupController.enabledπ£
Type: bool
false
Description: Enable cleanup controller.
cleanupController.rbac.createπ£
Type: bool
true
Description: Create RBAC resources
cleanupController.rbac.serviceAccount.nameπ£
Type: string
nil
Description: Service account name
cleanupController.rbac.clusterRole.extraResourcesπ£
Type: list
[]
Default value (formatted)
[]
Description: Extra resource permissions to add in the cluster role
cleanupController.createSelfSignedCertπ£
Type: bool
false
Description: Create self-signed certificates at deployment time. The certificates wonβt be automatically renewed if this is set to true.
cleanupController.image.registryπ£
Type: string
nil
Description: Image registry
cleanupController.image.repositoryπ£
Type: string
"ghcr.io/kyverno/cleanup-controller"
Description: Image repository
cleanupController.image.tagπ£
Type: string
nil
Description: Image tag Defaults to appVersion in Chart.yaml if omitted
cleanupController.image.pullPolicyπ£
Type: string
"IfNotPresent"
Description: Image pull policy
cleanupController.image.pullSecretsπ£
Type: list
[]
Default value (formatted)
[]
Description: Image pull secrets
cleanupController.replicasπ£
Type: int
nil
Description: Desired number of pods
cleanupController.priorityClassNameπ£
Type: string
""
Description: Optional priority class
cleanupController.hostNetworkπ£
Type: bool
false
Description: Change hostNetwork to true when you want the pod to share its hostβs network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the dnsPolicy accordingly as well to suit the host network mode.
cleanupController.dnsPolicyπ£
Type: string
"ClusterFirst"
Description: dnsPolicy determines the manner in which DNS resolution happens in the cluster. In case of hostNetwork: true, usually, the dnsPolicy is suitable to be ClusterFirstWithHostNet. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
cleanupController.extraArgsπ£
Type: list
[]
Default value (formatted)
[]
Description: Extra arguments passed to the container on the command line
cleanupController.resources.limitsπ£
Type: object
{"memory":"128Mi"}
Default value (formatted)
{
"memory": "128Mi"
}
Description: Pod resource limits
cleanupController.resources.requestsπ£
Type: object
{"cpu":"100m","memory":"64Mi"}
Default value (formatted)
{
"cpu": "100m",
"memory": "64Mi"
}
Description: Pod resource requests
cleanupController.nodeSelectorπ£
Type: object
{}
Default value (formatted)
{}
Description: Node labels for pod assignment
cleanupController.tolerationsπ£
Type: list
[]
Default value (formatted)
[]
Description: List of node taints to tolerate
cleanupController.antiAffinity.enabledπ£
Type: bool
true
Description: Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node.
cleanupController.podAffinityπ£
Type: object
{}
Default value (formatted)
{}
Description: Pod affinity constraints.
cleanupController.nodeAffinityπ£
Type: object
{}
Default value (formatted)
{}
Description: Node affinity constraints.
cleanupController.topologySpreadConstraintsπ£
Type: list
[]
Default value (formatted)
[]
Description: Topology spread constraints.
cleanupController.podSecurityContextπ£
Type: object
{}
Default value (formatted)
{}
Description: Security context for the pod
cleanupController.securityContextπ£
Type: object
{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}
Default value (formatted)
{
"allowPrivilegeEscalation": false,
"capabilities": {
"drop": [
"ALL"
]
},
"privileged": false,
"readOnlyRootFilesystem": true,
"runAsNonRoot": true,
"seccompProfile": {
"type": "RuntimeDefault"
}
}
Description: Security context for the containers
cleanupController.podDisruptionBudget.minAvailableπ£
Type: int
1
Description: Configures the minimum available pods for disruptions. Cannot be used if maxUnavailable is set.
cleanupController.podDisruptionBudget.maxUnavailableπ£
Type: string
nil
Description: Configures the maximum unavailable pods for disruptions. Cannot be used if minAvailable is set.
cleanupController.service.portπ£
Type: int
443
Description: Service port.
cleanupController.service.typeπ£
Type: string
"ClusterIP"
Description: Service type.
cleanupController.service.nodePortπ£
Type: string
nil
Description: Service node port. Only used if service.type is NodePort.
cleanupController.service.annotationsπ£
Type: object
{}
Default value (formatted)
{}
Description: Service annotations.
cleanupController.metricsService.createπ£
Type: bool
true
Description: Create service.
cleanupController.metricsService.portπ£
Type: int
8000
Description: Service port. Metrics server will be exposed at this port.
cleanupController.metricsService.typeπ£
Type: string
"ClusterIP"
Description: Service type.
cleanupController.metricsService.nodePortπ£
Type: string
nil
Description: Service node port. Only used if metricsService.type is NodePort.
cleanupController.metricsService.annotationsπ£
Type: object
{}
Default value (formatted)
{}
Description: Service annotations.
cleanupController.serviceMonitor.enabledπ£
Type: bool
false
Description: Create a ServiceMonitor to collect Prometheus metrics.
cleanupController.serviceMonitor.additionalLabelsπ£
Type: string
nil
Description: Additional labels
cleanupController.serviceMonitor.namespaceπ£
Type: string
nil
Description: Override namespace (default is the same as kyverno)
cleanupController.serviceMonitor.intervalπ£
Type: string
"30s"
Description: Interval to scrape metrics
cleanupController.serviceMonitor.scrapeTimeoutπ£
Type: string
"25s"
Description: Timeout if metrics canβt be retrieved in given time interval
cleanupController.serviceMonitor.secureπ£
Type: bool
false
Description: Is TLS required for endpoint
cleanupController.serviceMonitor.tlsConfigπ£
Type: object
{}
Default value (formatted)
{}
Description: TLS Configuration for endpoint
cleanupController.tracing.enabledπ£
Type: bool
false
Description: Enable tracing
cleanupController.tracing.addressπ£
Type: string
nil
Description: Traces receiver address
cleanupController.tracing.portπ£
Type: string
nil
Description: Traces receiver port
cleanupController.tracing.credsπ£
Type: string
""
Description: Traces receiver credentials
cleanupController.logging.formatπ£
Type: string
"text"
Description: Logging format
cleanupController.metering.disabledπ£
Type: bool
false
Description: Disable metrics export
cleanupController.metering.configπ£
Type: string
"prometheus"
Description: Otel configuration, can be prometheus or grpc
cleanupController.metering.portπ£
Type: int
8000
Description: Prometheus endpoint port
cleanupController.metering.collectorπ£
Type: string
""
Description: Otel collector endpoint
cleanupController.metering.credsπ£
Type: string
""
Description: Otel collector credentials