kyverno values.yaml📜
networkPolicies.enabled📜
Type: bool
Default value
false
networkPolicies.ingress.defaults.allowPrometheusToIstioSidecar.enabled📜
Type: bool
Default value
false
networkPolicies.ingress.definitions.kubeAPI.from[0].ipBlock.cidr📜
Type: string
Default value
"192.168.0.0/16"
networkPolicies.ingress.definitions.kubeAPI.from[1].ipBlock.cidr📜
Type: string
Default value
"172.16.0.0/12"
networkPolicies.ingress.definitions.kubeAPI.from[2].ipBlock.cidr📜
Type: string
Default value
"10.0.0.0/8"
networkPolicies.ingress.to.kyverno-admission-controller:9443.podSelector.matchLabels.”app.kubernetes.io/component”📜
Type: string
Default value
"admission-controller"
networkPolicies.ingress.to.kyverno-admission-controller:9443.from.definition.kubeAPI📜
Type: bool
Default value
true
networkPolicies.ingress.to.kyverno:8000.podSelector.matchLabels.”app.kubernetes.io/instance”📜
Type: string
Default value
"kyverno-kyverno"
networkPolicies.ingress.to.kyverno:8000.from.k8s.monitoring/prometheus📜
Type: bool
Default value
true
networkPolicies.egress.defaults.allowIstiod.enabled📜
Type: bool
Default value
false
networkPolicies.egress.definitions.private-registry.to[0].ipBlock.cidr📜
Type: string
Default value
"15.205.173.153/32"
networkPolicies.egress.definitions.private-registry.ports[0].port📜
Type: int
Default value
443
networkPolicies.egress.definitions.private-registry.ports[0].protocol📜
Type: string
Default value
"TCP"
networkPolicies.egress.from.kyverno-admission-controller.podSelector.matchLabels.”app.kubernetes.io/component”📜
Type: string
Default value
"admission-controller"
networkPolicies.egress.from.kyverno-admission-controller.to.definition.private-registry📜
Type: bool
Default value
true
networkPolicies.egress.from.kyverno-admission-controller.to.definition.kubeAPI📜
Type: bool
Default value
true
networkPolicies.egress.from.kyverno-migrate-resources.podSelector.matchLabels.”batch.kubernetes.io/job-name”📜
Type: string
Default value
"kyverno-kyverno-migrate-resources"
networkPolicies.egress.from.kyverno-migrate-resources.to.definition.kubeAPI📜
Type: bool
Default value
true
networkPolicies.externalRegistries📜
Type: object
Default value
allowEgress: false
ports: []
Description: This section will be deprecated in the next major release in favor of the bb-common definition
networkPolicies.additionalPolicies📜
Type: list
Default value
[]
istio.enabled📜
Type: bool
Default value
false
openshift📜
Type: bool
Default value
false
bbtests.enabled📜
Type: bool
Default value
false
bbtests.scripts.image📜
Type: string
Default value
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.35.5"
bbtests.scripts.additionalVolumeMounts[0].name📜
Type: string
Default value
"kyverno-bbtest-manifest"
bbtests.scripts.additionalVolumeMounts[0].mountPath📜
Type: string
Default value
"/yaml"
bbtests.scripts.additionalVolumes[0].name📜
Type: string
Default value
"kyverno-bbtest-manifest"
bbtests.scripts.additionalVolumes[0].configMap.name📜
Type: string
Default value
"kyverno-bbtest-manifest"
global.image.registry📜
Type: string
Default value
"registry1.dso.mil"
Description: Global value that allows to set a single image registry across all deployments. When set, it will override any values set under .image.registry across the chart.
global.image.pullPolicy📜
Type: string
Default value
"IfNotPresent"
global.imagePullSecrets[0].name📜
Type: string
Default value
"private-registry"
global.resyncPeriod📜
Type: string
Default value
"15m"
global.templating.enabled📜
Type: bool
Default value
false
global.templating.debug📜
Type: bool
Default value
false
global.templating.version📜
Type: string
Default value
nil
upstream.nameOverride📜
Type: string
Default value
"kyverno"
upstream.fullnameOverride📜
Type: string
Default value
"kyverno"
upstream.namespaceOverride📜
Type: string
Default value
nil
upstream.upgrade.fromV2📜
Type: bool
Default value
true
Description: Upgrading from v2 to v3 is not allowed by default, set this to true once changes have been reviewed.
upstream.apiVersionOverride.podDisruptionBudget📜
Type: string
Default value
"policy/v1"
Description: Override api version used to create PodDisruptionBudget resources. When not specified the chart will check if policy/v1/PodDisruptionBudget is available to determine the api version automatically.
upstream.crds.install📜
Type: bool
Default value
true
upstream.crds.migration.enabled📜
Type: bool
Default value
true
upstream.crds.migration.image.defaultRegistry📜
Type: string
Default value
"registry1.dso.mil"
upstream.crds.migration.image.repository📜
Type: string
Default value
"ironbank/opensource/kyverno/kyvernocli"
upstream.crds.migration.image.tag📜
Type: string
Default value
"v1.18.1"
upstream.crds.migration.imagePullSecrets[0].name📜
Type: string
Default value
"private-registry"
upstream.config.defaultRegistry📜
Type: string
Default value
"registry1.dso.mil"
upstream.existingImagePullSecrets📜
Type: list
Default value
- private-registry
Description: Existing Image pull secrets for image verification policies, this will define the --imagePullSecrets argument
upstream.webhooksCleanup.enabled📜
Type: bool
Default value
true
Description: Create a helm pre-delete hook to cleanup webhooks.
upstream.webhooksCleanup.image.registry📜
Type: string
Default value
"registry1.dso.mil"
upstream.webhooksCleanup.image.repository📜
Type: string
Default value
"ironbank/opensource/kubernetes/kubectl"
upstream.webhooksCleanup.image.tag📜
Type: string
Default value
"v1.35.5"
upstream.webhooksCleanup.image.pullPolicy📜
Type: string
Default value
nil
upstream.webhooksCleanup.imagePullSecrets[0].name📜
Type: string
Default value
"private-registry"
upstream.webhooksCleanup.podSecurityContext.runAsUser📜
Type: int
Default value
1001
upstream.webhooksCleanup.podSecurityContext.runAsGroup📜
Type: int
Default value
1001
upstream.webhooksCleanup.podSecurityContext.runAsNonRoot📜
Type: bool
Default value
true
upstream.webhooksCleanup.securityContext.runAsUser📜
Type: int
Default value
1001
upstream.webhooksCleanup.securityContext.runAsGroup📜
Type: int
Default value
1001
upstream.webhooksCleanup.securityContext.runAsNonRoot📜
Type: bool
Default value
true
upstream.webhooksCleanup.securityContext.privileged📜
Type: bool
Default value
false
upstream.webhooksCleanup.securityContext.allowPrivilegeEscalation📜
Type: bool
Default value
false
upstream.webhooksCleanup.securityContext.readOnlyRootFilesystem📜
Type: bool
Default value
true
upstream.webhooksCleanup.securityContext.capabilities.drop[0]📜
Type: string
Default value
"ALL"
upstream.webhooksCleanup.securityContext.seccompProfile.type📜
Type: string
Default value
"RuntimeDefault"
upstream.webhooksCleanup.resources.limits.cpu📜
Type: string
Default value
"0.5"
upstream.webhooksCleanup.resources.limits.memory📜
Type: string
Default value
"256Mi"
upstream.webhooksCleanup.resources.requests.cpu📜
Type: string
Default value
"0.5"
upstream.webhooksCleanup.resources.requests.memory📜
Type: string
Default value
"256Mi"
upstream.grafana.enabled📜
Type: bool
Default value
false
upstream.features.policyExceptions.enabled📜
Type: bool
Default value
true
upstream.features.policyExceptions.namespace📜
Type: string
Default value
"kyverno"
upstream.admissionController.rbac.serviceAccount.automountServiceAccountToken📜
Type: bool
Default value
true
upstream.admissionController.rbac.coreClusterRole.extraResources[0].apiGroups[0]📜
Type: string
Default value
"*"
upstream.admissionController.rbac.coreClusterRole.extraResources[0].resources[0]📜
Type: string
Default value
"*"
upstream.admissionController.rbac.coreClusterRole.extraResources[0].verbs[0]📜
Type: string
Default value
"get"
upstream.admissionController.rbac.coreClusterRole.extraResources[0].verbs[1]📜
Type: string
Default value
"list"
upstream.admissionController.rbac.coreClusterRole.extraResources[0].verbs[2]📜
Type: string
Default value
"watch"
upstream.admissionController.rbac.clusterRole.extraResources📜
Type: list
Default value
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
Description: Extra resource permissions to add in the cluster role
upstream.admissionController.createSelfSignedCert📜
Type: bool
Default value
false
Description: Create self-signed certificates at deployment time. The certificates won’t be automatically renewed if this is set to true.
upstream.admissionController.replicas📜
Type: int
Default value
3
Description: Desired number of pods
upstream.admissionController.podSecurityContext.runAsUser📜
Type: int
Default value
10001
upstream.admissionController.podSecurityContext.runAsGroup📜
Type: int
Default value
10001
upstream.admissionController.podSecurityContext.runAsNonRoot📜
Type: bool
Default value
true
upstream.admissionController.podDisruptionBudget.enabled📜
Type: bool
Default value
false
upstream.admissionController.imagePullSecrets[0].name📜
Type: string
Default value
"private-registry"
upstream.admissionController.initContainer.image.registry📜
Type: string
Default value
nil
upstream.admissionController.initContainer.image.defaultRegistry📜
Type: string
Default value
"registry1.dso.mil"
upstream.admissionController.initContainer.image.repository📜
Type: string
Default value
"ironbank/opensource/kyverno/kyvernopre"
upstream.admissionController.initContainer.image.tag📜
Type: string
Default value
"v1.18.1"
upstream.admissionController.initContainer.image.pullPolicy📜
Type: string
Default value
nil
upstream.admissionController.initContainer.resources.limits📜
Type: object
Default value
cpu: 1
memory: 1Gi
Description: Pod resource limits
upstream.admissionController.initContainer.resources.requests📜
Type: object
Default value
cpu: 10m
memory: 64Mi
Description: Pod resource requests
upstream.admissionController.initContainer.securityContext📜
Type: object
Default value
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 10001
runAsNonRoot: true
runAsUser: 10001
seccompProfile:
type: RuntimeDefault
Description: Container security context
upstream.admissionController.container.image.defaultRegistry📜
Type: string
Default value
"registry1.dso.mil"
upstream.admissionController.container.image.repository📜
Type: string
Default value
"ironbank/opensource/kyverno"
upstream.admissionController.container.image.tag📜
Type: string
Default value
"v1.18.1"
upstream.admissionController.container.image.pullPolicy📜
Type: string
Default value
"IfNotPresent"
upstream.admissionController.container.resources.limits.cpu📜
Type: string
Default value
"500m"
upstream.admissionController.container.resources.limits.memory📜
Type: string
Default value
"512Mi"
upstream.admissionController.container.resources.requests.cpu📜
Type: string
Default value
"500m"
upstream.admissionController.container.resources.requests.memory📜
Type: string
Default value
"512Mi"
upstream.admissionController.container.securityContext.runAsNonRoot📜
Type: bool
Default value
true
upstream.admissionController.container.securityContext.runAsUser📜
Type: int
Default value
10001
upstream.admissionController.container.securityContext.runAsGroup📜
Type: int
Default value
10001
upstream.admissionController.container.securityContext.privileged📜
Type: bool
Default value
false
upstream.admissionController.container.securityContext.allowPrivilegeEscalation📜
Type: bool
Default value
false
upstream.admissionController.container.securityContext.readOnlyRootFilesystem📜
Type: bool
Default value
true
upstream.admissionController.container.securityContext.capabilities.drop[0]📜
Type: string
Default value
"ALL"
upstream.admissionController.container.securityContext.seccompProfile.type📜
Type: string
Default value
"RuntimeDefault"
upstream.backgroundController.enabled📜
Type: bool
Default value
true
upstream.backgroundController.rbac.create📜
Type: bool
Default value
true
upstream.backgroundController.rbac.serviceAccount.automountServiceAccountToken📜
Type: bool
Default value
false
upstream.backgroundController.rbac.coreClusterRole.extraResources[0].apiGroups[0]📜
Type: string
Default value
"networking.k8s.io"
upstream.backgroundController.rbac.coreClusterRole.extraResources[0].resources[0]📜
Type: string
Default value
"ingresses"
upstream.backgroundController.rbac.coreClusterRole.extraResources[0].resources[1]📜
Type: string
Default value
"ingressclasses"
upstream.backgroundController.rbac.coreClusterRole.extraResources[0].resources[2]📜
Type: string
Default value
"networkpolicies"
upstream.backgroundController.rbac.coreClusterRole.extraResources[0].verbs[0]📜
Type: string
Default value
"create"
upstream.backgroundController.rbac.coreClusterRole.extraResources[0].verbs[1]📜
Type: string
Default value
"update"
upstream.backgroundController.rbac.coreClusterRole.extraResources[0].verbs[2]📜
Type: string
Default value
"patch"
upstream.backgroundController.rbac.coreClusterRole.extraResources[0].verbs[3]📜
Type: string
Default value
"delete"
upstream.backgroundController.rbac.coreClusterRole.extraResources[1].apiGroups[0]📜
Type: string
Default value
"rbac.authorization.k8s.io"
upstream.backgroundController.rbac.coreClusterRole.extraResources[1].resources[0]📜
Type: string
Default value
"rolebindings"
upstream.backgroundController.rbac.coreClusterRole.extraResources[1].resources[1]📜
Type: string
Default value
"roles"
upstream.backgroundController.rbac.coreClusterRole.extraResources[1].verbs[0]📜
Type: string
Default value
"create"
upstream.backgroundController.rbac.coreClusterRole.extraResources[1].verbs[1]📜
Type: string
Default value
"update"
upstream.backgroundController.rbac.coreClusterRole.extraResources[1].verbs[2]📜
Type: string
Default value
"patch"
upstream.backgroundController.rbac.coreClusterRole.extraResources[1].verbs[3]📜
Type: string
Default value
"delete"
upstream.backgroundController.rbac.coreClusterRole.extraResources[2].apiGroups[0]📜
Type: string
Default value
"*"
upstream.backgroundController.rbac.coreClusterRole.extraResources[2].resources[0]📜
Type: string
Default value
"configmaps"
upstream.backgroundController.rbac.coreClusterRole.extraResources[2].resources[1]📜
Type: string
Default value
"resourcequotas"
upstream.backgroundController.rbac.coreClusterRole.extraResources[2].resources[2]📜
Type: string
Default value
"limitranges"
upstream.backgroundController.rbac.coreClusterRole.extraResources[2].verbs[0]📜
Type: string
Default value
"create"
upstream.backgroundController.rbac.coreClusterRole.extraResources[2].verbs[1]📜
Type: string
Default value
"update"
upstream.backgroundController.rbac.coreClusterRole.extraResources[2].verbs[2]📜
Type: string
Default value
"patch"
upstream.backgroundController.rbac.coreClusterRole.extraResources[2].verbs[3]📜
Type: string
Default value
"delete"
upstream.backgroundController.rbac.coreClusterRole.extraResources[3].apiGroups[0]📜
Type: string
Default value
"*"
upstream.backgroundController.rbac.coreClusterRole.extraResources[3].resources[0]📜
Type: string
Default value
"serviceaccounts"
upstream.backgroundController.rbac.coreClusterRole.extraResources[3].verbs[0]📜
Type: string
Default value
"get"
upstream.backgroundController.rbac.coreClusterRole.extraResources[3].verbs[1]📜
Type: string
Default value
"list"
upstream.backgroundController.rbac.coreClusterRole.extraResources[3].verbs[2]📜
Type: string
Default value
"watch"
upstream.backgroundController.rbac.coreClusterRole.extraResources[3].verbs[3]📜
Type: string
Default value
"update"
upstream.backgroundController.rbac.coreClusterRole.extraResources[3].verbs[4]📜
Type: string
Default value
"patch"
upstream.backgroundController.rbac.clusterRole.extraResources📜
Type: list
Default value
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- '*'
resources:
- secrets
verbs:
- create
- update
- delete
Description: Extra resource permissions to add in the cluster role
upstream.backgroundController.image.defaultRegistry📜
Type: string
Default value
"registry1.dso.mil"
upstream.backgroundController.image.repository📜
Type: string
Default value
"ironbank/opensource/kyverno/kyverno/background-controller"
upstream.backgroundController.image.tag📜
Type: string
Default value
"v1.18.1"
upstream.backgroundController.imagePullSecrets[0].name📜
Type: string
Default value
"private-registry"
upstream.backgroundController.podSecurityContext.runAsUser📜
Type: int
Default value
1000
upstream.backgroundController.podSecurityContext.runAsGroup📜
Type: int
Default value
1000
upstream.backgroundController.podSecurityContext.runAsNonRoot📜
Type: bool
Default value
true
upstream.backgroundController.securityContext.runAsNonRoot📜
Type: bool
Default value
true
upstream.backgroundController.securityContext.runAsUser📜
Type: int
Default value
1000
upstream.backgroundController.securityContext.runAsGroup📜
Type: int
Default value
1000
upstream.backgroundController.securityContext.privileged📜
Type: bool
Default value
false
upstream.backgroundController.securityContext.allowPrivilegeEscalation📜
Type: bool
Default value
false
upstream.backgroundController.securityContext.readOnlyRootFilesystem📜
Type: bool
Default value
true
upstream.backgroundController.securityContext.capabilities.drop[0]📜
Type: string
Default value
"ALL"
upstream.backgroundController.securityContext.seccompProfile.type📜
Type: string
Default value
"RuntimeDefault"
upstream.cleanupController.enabled📜
Type: bool
Default value
true
upstream.cleanupController.rbac.create📜
Type: bool
Default value
true
upstream.cleanupController.rbac.serviceAccount.automountServiceAccountToken📜
Type: bool
Default value
false
upstream.cleanupController.image.defaultRegistry📜
Type: string
Default value
"registry1.dso.mil"
upstream.cleanupController.image.repository📜
Type: string
Default value
"ironbank/opensource/kyverno/kyverno/cleanup-controller"
upstream.cleanupController.image.tag📜
Type: string
Default value
"v1.18.1"
upstream.cleanupController.image.pullPolicy📜
Type: string
Default value
"IfNotPresent"
upstream.cleanupController.imagePullSecrets[0].name📜
Type: string
Default value
"private-registry"
upstream.cleanupController.podSecurityContext.runAsUser📜
Type: int
Default value
1000
upstream.cleanupController.podSecurityContext.runAsGroup📜
Type: int
Default value
1000
upstream.cleanupController.podSecurityContext.runAsNonRoot📜
Type: bool
Default value
true
upstream.cleanupController.securityContext📜
Type: object
Default value
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
Description: Security context for the containers
upstream.reportsController.enabled📜
Type: bool
Default value
true
upstream.reportsController.rbac.create📜
Type: bool
Default value
true
upstream.reportsController.rbac.serviceAccount.automountServiceAccountToken📜
Type: bool
Default value
false
upstream.reportsController.rbac.coreClusterRole.extraResources[0].apiGroups[0]📜
Type: string
Default value
"*"
upstream.reportsController.rbac.coreClusterRole.extraResources[0].resources[0]📜
Type: string
Default value
"*"
upstream.reportsController.rbac.coreClusterRole.extraResources[0].verbs[0]📜
Type: string
Default value
"get"
upstream.reportsController.rbac.coreClusterRole.extraResources[0].verbs[1]📜
Type: string
Default value
"list"
upstream.reportsController.rbac.coreClusterRole.extraResources[0].verbs[2]📜
Type: string
Default value
"watch"
upstream.reportsController.rbac.clusterRole.extraResources📜
Type: list
Default value
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
Description: Extra resource permissions to add in the cluster role
upstream.reportsController.image.defaultRegistry📜
Type: string
Default value
"registry1.dso.mil"
upstream.reportsController.image.repository📜
Type: string
Default value
"ironbank/opensource/kyverno/kyverno/reports-controller"
upstream.reportsController.image.tag📜
Type: string
Default value
"v1.18.1"
upstream.reportsController.image.pullPolicy📜
Type: string
Default value
"IfNotPresent"
upstream.reportsController.imagePullSecrets[0].name📜
Type: string
Default value
"private-registry"
upstream.reportsController.podSecurityContext.runAsUser📜
Type: int
Default value
1000
upstream.reportsController.podSecurityContext.runAsGroup📜
Type: int
Default value
1000
upstream.reportsController.podSecurityContext.runAsNonRoot📜
Type: bool
Default value
true
upstream.reportsController.securityContext.runAsNonRoot📜
Type: bool
Default value
true
upstream.reportsController.securityContext.runAsUser📜
Type: int
Default value
1000
upstream.reportsController.securityContext.runAsGroup📜
Type: int
Default value
1000
upstream.reportsController.securityContext.privileged📜
Type: bool
Default value
false
upstream.reportsController.securityContext.allowPrivilegeEscalation📜
Type: bool
Default value
false
upstream.reportsController.securityContext.readOnlyRootFilesystem📜
Type: bool
Default value
true
upstream.reportsController.securityContext.capabilities.drop[0]📜
Type: string
Default value
"ALL"
upstream.reportsController.securityContext.seccompProfile.type📜
Type: string
Default value
"RuntimeDefault"
upstream.test.sleep📜
Type: int
Default value
20
Description: Sleep time before running test
upstream.test.image.registry📜
Type: string
Default value
"registry1.dso.mil"
upstream.test.image.repository📜
Type: string
Default value
"ironbank/opensource/kyverno/kyverno/readiness-checker"
upstream.test.image.tag📜
Type: string
Default value
"v1.18.1"
upstream.test.image.pullPolicy📜
Type: string
Default value
nil
upstream.test.imagePullSecrets[0].name📜
Type: string
Default value
"private-registry"
upstream.test.resources.limits📜
Type: object
Default value
cpu: 100m
memory: 256Mi
Description: Pod resource limits
upstream.test.resources.requests📜
Type: object
Default value
cpu: 10m
memory: 64Mi
Description: Pod resource requests
upstream.test.securityContext📜
Type: object
Default value
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 65534
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault
Description: Security context for the test containers