Skip to content

kyverno-policies values.yaml📜

enabled📜

Type: bool

Default value
true

Description: Enable policy deployments

validationFailureAction📜

Type: string

Default value
""

Description: Override all policies’ validation failure action with “Audit” or “Enforce”. If blank, uses policy setting.

failurePolicy📜

Type: string

Default value
"Fail"

Description: API server behavior if the webhook fails to respond (‘Ignore’, ‘Fail’) For more info: https://kyverno.io/docs/writing-policies/policy-settings/

background📜

Type: bool

Default value
true

Description: Policies background mode

kyvernoVersion📜

Type: string

Default value
"autodetect"

Description: Kyverno version The default of “autodetect” will try to determine the currently installed version from the deployment

webhookTimeoutSeconds📜

Type: int

Default value
30

Description: Override all policies’ time to wait for admission webhook to respond. If blank, uses policy setting or default (10). Range is 1 to 30.

exclude📜

Type: object

Default value
any:
- resources:
    namespaces:
    - kube-system

Description: Adds an exclusion to all policies. This is merged with any policy-specific excludes. See https://kyverno.io/docs/writing-policies/match-exclude for fields.

excludeContainers📜

Type: list

Default value
[]

Description: Adds an excludeContainers to all policies. This is merged with any policy-specific excludeContainers.

autogenControllers📜

Type: string

Default value
"Deployment,ReplicaSet,DaemonSet,StatefulSet"

Description: Customize the target Pod controllers for the auto-generated rules. (Eg. none, Deployment, DaemonSet,Deployment,StatefulSet) For more info https://kyverno.io/docs/writing-policies/autogen/.

customLabels📜

Type: object

Default value
{}

Description: Additional labels to apply to all policies.

policyPreconditions📜

Type: object

Default value
{}

Description: Add preconditions to individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the policyPreconditions map.

waitforready.enabled📜

Type: bool

Default value
false

Description: Controls wait for ready deployment

waitforready.image📜

Type: object

Default value
repository: registry1.dso.mil/ironbank/opensource/kubernetes/kubectl
tag: v1.30.6

Description: Image to use in wait for ready job. This must contain kubectl.

waitforready.imagePullSecrets📜

Type: list

Default value
[]

Description: Pull secret for wait for ready job

policies.sample📜

Type: object

Default value
enabled: false
exclude: {}
match: {}
parameters:
  excludeContainers: []
validationFailureAction: Audit
webhookTimeoutSeconds: ''

Description: Sample policy showing values that can be added to any policy

policies.sample.enabled📜

Type: bool

Default value
false

Description: Controls policy deployment

policies.sample.validationFailureAction📜

Type: string

Default value
"Audit"

Description: Controls if a validation policy rule failure should disallow (Enforce) or allow (Audit) the admission

policies.sample.webhookTimeoutSeconds📜

Type: string

Default value
""

Description: Specifies the maximum time in seconds allowed to apply this policy. Default is 10. Range is 1 to 30.

policies.sample.match📜

Type: object

Default value
{}

Description: Defines when this policy’s rules should be applied. This completely overrides any default matches.

policies.sample.exclude📜

Type: object

Default value
{}

Description: Defines when this policy’s rules should not be applied. This completely overrides any default excludes.

policies.sample.parameters📜

Type: object

Default value
excludeContainers: []

Description: Policy specific parameters that are added to the configMap for the policy rules

policies.sample.parameters.excludeContainers📜

Type: list

Default value
[]

Description: Adds a container exclusion (by name) to a specific policy. This is merged with any global excludeContainers.

policies.block-ephemeral-containers.enabled📜

Type: bool

Default value
true

policies.block-ephemeral-containers.validationFailureAction📜

Type: string

Default value
"Enforce"

policies.clone-configs📜

Type: object

Default value
enabled: false
generateExisting: false
parameters:
  clone: []

Description: Clone existing configMap or secret in new Namespaces

policies.clone-configs.parameters.clone📜

Type: list

Default value
[]

Description: ConfigMap or Secrets that should be cloned. Each item requres the kind, name, and namespace of the resource to clone

policies.disallow-annotations📜

Type: object

Default value
enabled: false
parameters:
  disallow: []
validationFailureAction: Audit

Description: Prevent specified annotations on pods

policies.disallow-annotations.parameters.disallow📜

Type: list

Default value
[]

Description: List of annotations disallowed on pods. Entries can be just a “key”, or a quoted “key: value”. Wildcards ‘*’ and ‘?’ are supported.

policies.disallow-deprecated-apis📜

Type: object

Default value
enabled: false
validationFailureAction: Audit

Description: Prevent resources that use deprecated or removed APIs (through Kubernetes 1.26)

policies.disallow-host-namespaces📜

Type: object

Default value
enabled: true
validationFailureAction: Enforce

Description: Prevent use of the host namespace (PID, IPC, Network) by pods

policies.disallow-image-tags📜

Type: object

Default value
enabled: false
parameters:
  disallow:
  - latest
validationFailureAction: Audit

Description: Prevent container images with specified tags. Also, requires images to have a tag.

policies.disallow-istio-injection-bypass📜

Type: object

Default value
enabled: false
validationFailureAction: Audit

Description: Prevent the sidecar.istio.io/inject: false label on pods.

policies.disallow-labels📜

Type: object

Default value
enabled: false
parameters:
  disallow: []
validationFailureAction: Audit

Description: Prevent specified labels on pods

policies.disallow-labels.parameters.disallow📜

Type: list

Default value
[]

Description: List of labels disallowed on pods. Entries can be just a “key”, or a quoted “key: value”. Wildcards ‘*’ and ‘?’ are supported.

policies.disallow-namespaces📜

Type: object

Default value
enabled: false
parameters:
  disallow:
  - default
validationFailureAction: Audit

Description: Prevent pods from using the listed namespaces

policies.disallow-namespaces.parameters.disallow📜

Type: list

Default value
- default

Description: List of namespaces to deny pod deployment

policies.disallow-nodeport-services📜

Type: object

Default value
enabled: true
validationFailureAction: Audit

Description: Prevent services of the type NodePort

policies.disallow-pod-exec📜

Type: object

Default value
enabled: false
validationFailureAction: Audit

Description: Prevent the use of exec or attach on pods

policies.disallow-privilege-escalation📜

Type: object

Default value
enabled: true
validationFailureAction: Enforce

Description: Prevent privilege escalation on pods

policies.disallow-auto-mount-service-account-token📜

Type: object

Default value
enabled: true
validationFailureAction: Audit

Description: Prevent Automounting of Kubernetes API Credentials on Pods and Service Accounts

policies.disallow-privileged-containers📜

Type: object

Default value
enabled: true
validationFailureAction: Enforce

Description: Prevent containers that run as privileged

policies.disallow-selinux-options📜

Type: object

Default value
enabled: true
parameters:
  disallow:
  - user
  - role
validationFailureAction: Enforce

Description: Prevent specified SELinux options from being used on pods.

policies.disallow-selinux-options.parameters.disallow📜

Type: list

Default value
- user
- role

Description: List of selinux options that are not allowed. Valid values include level, role, type, and user. Defaults pulled from https://kubernetes.io/docs/concepts/security/pod-security-standards

policies.disallow-tolerations📜

Type: object

Default value
enabled: false
parameters:
  disallow:
  - key: node-role.kubernetes.io/master
validationFailureAction: Audit

Description: Prevent tolerations that bypass specified taints

policies.disallow-tolerations.parameters.disallow📜

Type: list

Default value
- key: node-role.kubernetes.io/master

Description: List of taints to protect from toleration. Each entry can have key, value, and/or effect. Wildcards ‘*’ and ‘?’ can be used If key, value, or effect are not defined, they are ignored in the policy rule

policies.disallow-rbac-on-default-serviceaccounts📜

Type: object

Default value
enabled: false
exclude:
  any:
  - resources:
      name: system:service-account-issuer-discovery
validationFailureAction: Audit

Description: Prevent additional RBAC permissions on default service accounts

policies.require-annotations📜

Type: object

Default value
enabled: false
parameters:
  require: []
validationFailureAction: Audit

Description: Require specified annotations on all pods

policies.require-annotations.parameters.require📜

Type: list

Default value
[]

Description: List of annotations required on all pods. Entries can be just a “key”, or a quoted “key: value”. Wildcards ‘*’ and ‘?’ are supported.

policies.require-cpu-limit📜

Type: object

Default value
enabled: false
parameters:
  require:
  - <10
validationFailureAction: Audit

Description: Require containers have CPU limits defined and within the specified range

policies.require-drop-all-capabilities📜

Type: object

Default value
enabled: true
validationFailureAction: Enforce

Description: Requires containers to drop all Linux capabilities

policies.require-image-signature📜

Type: object

Default value
enabled: true
parameters:
  require:
  - attestors:
    - count: 1
      entries:
      - keys:
          ctlog:
            ignoreSCT: true
          publicKeys: '-----BEGIN PUBLIC KEY-----

            MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtQDv69q1kyiogpxvIVjh

            eNMLsI1GTLm+BuLWJN2rq4AA4k3+I7WqdvA1tKJ218DyXExljI3NTD4J5BnLeB6y

            WDvnTPXVu+pNj9W7Az0uyD73/WsMV1QR5VEzWMdMz+ZnN8IGd4JFl9p2N21YBD1R

            Y93+K4XgrZ/iSRk+mGBAs87UpF1ku/nru0H2+XwJtoV7pLrrai/pLdQeRh5Ogg9J

            z5qHer9EnZne6eBnZedvpf7bqfRt0Fqqk0pTzLQm4oFD3HnxdJUPt9ccoPx0IyF0

            rB01a53LBTeRXeUcHd5BpwhwgkIm2insbDIp+lBKjUfq4CfqRQcXLLUgtRUij6ke

            QfD7jgI9chBxbVE1U5Mc/RgftXuVGQzx1OrjenD4wIH4whtP1abTg6XLxqjgkgqq

            EJy5kUpv+ut0n1RBiIdH6wYXDum90fq4qQl+gHaER0bOYAQTCIFRrhrWJ8Qxj4uL

            xI+O5KgLX3TanMtfE7e2A86uzxiHBxEW4+AF2IMXuLviIQKc9z+/p93psfQ9nXXj

            B5i6qFWkF0BMuWibB8e+HHWRKLfNWXGdfLraoMPKwCrJWhYQ+8SRrqR+gbSNWbEM

            VardcwrQZ7NP7KIedquYQnfJ3ukbYikKgdBovGStFEPLaKKiYJiD5UIQhZ51SDdA

            k+PgLW7CzKW4u2+WLdjfalkCAwEAAQ==

            -----END PUBLIC KEY-----'
          rekor:
            ignoreTlog: true
            url: ''
    imageReferences:
    - registry1.dso.mil/ironbank/*
    mutateDigest: false
    verifyDigest: false
validationFailureAction: Enforce

Description: Require specified images to be signed and verified

policies.require-image-signature.parameters.require📜

Type: list

Default value
- attestors:
  - count: 1
    entries:
    - keys:
        ctlog:
          ignoreSCT: true
        publicKeys: '-----BEGIN PUBLIC KEY-----

          MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtQDv69q1kyiogpxvIVjh

          eNMLsI1GTLm+BuLWJN2rq4AA4k3+I7WqdvA1tKJ218DyXExljI3NTD4J5BnLeB6y

          WDvnTPXVu+pNj9W7Az0uyD73/WsMV1QR5VEzWMdMz+ZnN8IGd4JFl9p2N21YBD1R

          Y93+K4XgrZ/iSRk+mGBAs87UpF1ku/nru0H2+XwJtoV7pLrrai/pLdQeRh5Ogg9J

          z5qHer9EnZne6eBnZedvpf7bqfRt0Fqqk0pTzLQm4oFD3HnxdJUPt9ccoPx0IyF0

          rB01a53LBTeRXeUcHd5BpwhwgkIm2insbDIp+lBKjUfq4CfqRQcXLLUgtRUij6ke

          QfD7jgI9chBxbVE1U5Mc/RgftXuVGQzx1OrjenD4wIH4whtP1abTg6XLxqjgkgqq

          EJy5kUpv+ut0n1RBiIdH6wYXDum90fq4qQl+gHaER0bOYAQTCIFRrhrWJ8Qxj4uL

          xI+O5KgLX3TanMtfE7e2A86uzxiHBxEW4+AF2IMXuLviIQKc9z+/p93psfQ9nXXj

          B5i6qFWkF0BMuWibB8e+HHWRKLfNWXGdfLraoMPKwCrJWhYQ+8SRrqR+gbSNWbEM

          VardcwrQZ7NP7KIedquYQnfJ3ukbYikKgdBovGStFEPLaKKiYJiD5UIQhZ51SDdA

          k+PgLW7CzKW4u2+WLdjfalkCAwEAAQ==

          -----END PUBLIC KEY-----'
        rekor:
          ignoreTlog: true
          url: ''
  imageReferences:
  - registry1.dso.mil/ironbank/*
  mutateDigest: false
  verifyDigest: false

Description: List of images that must be signed and the public key to verify. Use kubectl explain clusterpolicy.spec.rules.verifyImages for fields.

policies.require-istio-on-namespaces📜

Type: object

Default value
enabled: false
validationFailureAction: Audit

Description: Require Istio sidecar injection label on namespaces

policies.require-labels📜

Type: object

Default value
enabled: true
parameters:
  require:
  - app.kubernetes.io/name
  - app.kubernetes.io/instance
  - app.kubernetes.io/version
validationFailureAction: Audit

Description: Require specified labels to be on all pods

policies.require-labels.parameters.require📜

Type: list

Default value
- app.kubernetes.io/name
- app.kubernetes.io/instance
- app.kubernetes.io/version

Description: List of labels required on all pods. Entries can be just a “key”, or a quoted “key: value”. Wildcards ‘*’ and ‘?’ are supported. See https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/#labels See https://helm.sh/docs/chart_best_practices/labels/#standard-labels

policies.require-memory-limit📜

Type: object

Default value
enabled: false
parameters:
  require:
  - <64Gi
validationFailureAction: Audit

Description: Require containers have memory limits defined and within the specified range

policies.require-non-root-group📜

Type: object

Default value
enabled: true
validationFailureAction: Enforce

Description: Require containers to run with non-root group

policies.require-non-root-user📜

Type: object

Default value
enabled: true
validationFailureAction: Enforce

Description: Require containers to run as non-root user

policies.require-probes📜

Type: object

Default value
enabled: false
parameters:
  require:
  - readinessProbe
  - livenessProbe
validationFailureAction: Audit

Description: Require specified probes on pods

policies.require-probes.parameters.require📜

Type: list

Default value
- readinessProbe
- livenessProbe

Description: List of probes that are required on pods. Valid values are readinessProbe, livenessProbe, and startupProbe.

policies.require-requests-equal-limits📜

Type: object

Default value
enabled: false
validationFailureAction: Audit

Description: Require CPU and memory requests equal limits for guaranteed quality of service

policies.require-ro-rootfs📜

Type: object

Default value
enabled: false
validationFailureAction: Audit

Description: Require containers set root filesystem to read-only

policies.restrict-apparmor📜

Type: object

Default value
enabled: true
parameters:
  allow:
  - runtime/default
  - localhost/*
validationFailureAction: Enforce

Description: Restricts pods that use AppArmor to specified profiles

policies.restrict-apparmor.parameters.allow📜

Type: list

Default value
- runtime/default
- localhost/*

Description: List of allowed AppArmor profiles Defaults pulled from https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline

policies.restrict-external-ips📜

Type: object

Default value
enabled: true
parameters:
  allow: []
validationFailureAction: Enforce

Description: Restrict services with External IPs to a specified list (CVE-2020-8554)

policies.restrict-external-ips.parameters.allow📜

Type: list

Default value
[]

Description: List of external IPs allowed in services. Must be an IP address. Use the wildcard ?* to support subnets (e.g. 192.168.0.?*)

policies.restrict-external-names📜

Type: object

Default value
enabled: true
parameters:
  allow: []
validationFailureAction: Enforce

Description: Restrict services with External Names to a specified list (CVE-2020-8554)

policies.restrict-external-names.parameters.allow📜

Type: list

Default value
[]

Description: List of external names allowed in services. Must be a lowercase RFC-1123 hostname.

policies.restrict-capabilities📜

Type: object

Default value
enabled: true
parameters:
  allow:
  - NET_BIND_SERVICE
validationFailureAction: Enforce

Description: Restrict Linux capabilities added to containers to the specified list

policies.restrict-capabilities.parameters.allow📜

Type: list

Default value
- NET_BIND_SERVICE

Description: List of capabilities that are allowed to be added Defaults pulled from https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted See https://man7.org/linux/man-pages/man7/capabilities.7.html for list of capabilities. The CAP_ prefix is removed in Kubernetes names.

policies.restrict-group-id📜

Type: object

Default value
enabled: false
parameters:
  allow:
  - '>=1000'
validationFailureAction: Audit

Description: Restrict container group IDs to specified ranges NOTE: Using require-non-root-group will force runAsGroup to be defined

policies.restrict-host-path-mount📜

Type: object

Default value
enabled: true
parameters:
  allow: []
validationFailureAction: Audit

Description: Restrict the paths that can be mounted by hostPath volumes to the allowed list. HostPath volumes are normally disallowed. If exceptions are made, the path(s) should be restricted.

policies.restrict-host-path-mount.parameters.allow📜

Type: list

Default value
[]

Description: List of allowed paths for hostPath volumes to mount

policies.restrict-host-path-mount-pv.enabled📜

Type: bool

Default value
true

policies.restrict-host-path-mount-pv.validationFailureAction📜

Type: string

Default value
"Audit"

policies.restrict-host-path-mount-pv.parameters.allow📜

Type: list

Default value
[]

Description: List of allowed paths for hostPath volumes to mount

policies.restrict-host-path-write📜

Type: object

Default value
enabled: true
parameters:
  allow: []
validationFailureAction: Audit

Description: Restrict the paths that can be mounted as read/write by hostPath volumes to the allowed list. HostPath volumes, if allowed, should normally be mounted as read-only. If exceptions are made, the path(s) should be restricted.

policies.restrict-host-path-write.parameters.allow📜

Type: list

Default value
[]

Description: List of allowed paths for hostPath volumes to mount as read/write

policies.restrict-host-ports📜

Type: object

Default value
enabled: true
parameters:
  allow: []
validationFailureAction: Enforce

Description: Restrict host ports in containers to the specified list

policies.restrict-host-ports.parameters.allow📜

Type: list

Default value
[]

Description: List of allowed host ports

policies.restrict-image-registries📜

Type: object

Default value
enabled: true
parameters:
  allow:
  - registry1.dso.mil
validationFailureAction: Audit

Description: Restricts container images to registries in the specified list

policies.restrict-image-registries.parameters.allow📜

Type: list

Default value
- registry1.dso.mil

Description: List of allowed registries that images may use

policies.restrict-proc-mount📜

Type: object

Default value
enabled: true
parameters:
  allow:
  - Default
validationFailureAction: Enforce

Description: Restrict mounting /proc to the specified mask

policies.restrict-proc-mount.parameters.allow📜

Type: list

Default value
- Default

Description: List of allowed proc mount values. Valid values are Default and Unmasked. Defaults pulled from https://kubernetes.io/docs/concepts/security/pod-security-standards

policies.restrict-seccomp📜

Type: object

Default value
enabled: true
parameters:
  allow:
  - RuntimeDefault
  - Localhost
validationFailureAction: Enforce

Description: Restrict seccomp profiles to the specified list

policies.restrict-seccomp.parameters.allow📜

Type: list

Default value
- RuntimeDefault
- Localhost

Description: List of allowed seccomp profiles. Valid values are Localhost, RuntimeDefault, and Unconfined Defaults pulled from https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted

policies.restrict-selinux-type📜

Type: object

Default value
enabled: true
parameters:
  allow:
  - container_t
  - container_init_t
  - container_kvm_t
validationFailureAction: Enforce

Description: Restrict SELinux types to the specified list.

policies.restrict-selinux-type.parameters.allow📜

Type: list

Default value
- container_t
- container_init_t
- container_kvm_t

Description: List of allowed values for the type field Defaults pulled from https://kubernetes.io/docs/concepts/security/pod-security-standards

policies.restrict-sysctls📜

Type: object

Default value
enabled: true
parameters:
  allow:
  - kernel.shm_rmid_forced
  - net.ipv4.ip_local_port_range
  - net.ipv4.ip_unprivileged_port_start
  - net.ipv4.tcp_syncookies
  - net.ipv4.ping_group_range
  - net.ipv4.ip_local_reserved_ports
  - net.ipv4.tcp_keepalive_time
  - net.ipv4.tcp_fin_timeout
  - net.ipv4.tcp_keepalive_intvl
  - net.ipv4.tcp_keepalive_probes
validationFailureAction: Enforce

Description: Restrict sysctls to the specified list

policies.restrict-sysctls.parameters.allow📜

Type: list

Default value
- kernel.shm_rmid_forced
- net.ipv4.ip_local_port_range
- net.ipv4.ip_unprivileged_port_start
- net.ipv4.tcp_syncookies
- net.ipv4.ping_group_range
- net.ipv4.ip_local_reserved_ports
- net.ipv4.tcp_keepalive_time
- net.ipv4.tcp_fin_timeout
- net.ipv4.tcp_keepalive_intvl
- net.ipv4.tcp_keepalive_probes

Description: List of allowed sysctls. Defaults pulled from https://kubernetes.io/docs/concepts/security/pod-security-standards

policies.restrict-user-id📜

Type: object

Default value
enabled: false
parameters:
  allow:
  - '>=1000'
validationFailureAction: Audit

Description: Restrict user IDs to the specified ranges NOTE: Using require-non-root-user will force runAsUser to be defined

policies.restrict-volume-types📜

Type: object

Default value
enabled: true
parameters:
  allow:
  - configMap
  - csi
  - downwardAPI
  - emptyDir
  - ephemeral
  - persistentVolumeClaim
  - projected
  - secret
validationFailureAction: Enforce

Description: Restrict the volume types to the specified list

policies.restrict-volume-types.parameters.allow📜

Type: list

Default value
- configMap
- csi
- downwardAPI
- emptyDir
- ephemeral
- persistentVolumeClaim
- projected
- secret

Description: List of allowed Volume types. Valid values are the volume types listed here: https://kubernetes.io/docs/concepts/storage/volumes/#volume-types Defaults pulled from https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted

policies.update-image-pull-policy📜

Type: object

Default value
enabled: false
parameters:
  update:
  - to: Always

Description: Updates the image pull policy on containers

policies.update-image-pull-policy.parameters.update📜

Type: list

Default value
- to: Always

Description: List of image pull policy updates. from contains the pull policy value to replace. If from is blank, it matches everything. to contains the new pull policy to use. Must be one of Always, Never, or IfNotPresent.

policies.update-image-registry📜

Type: object

Default value
enabled: false
parameters:
  update: []

Description: Updates an existing image registry with a new registry in containers (e.g. proxy)

policies.update-image-registry.parameters.update📜

Type: list

Default value
[]

Description: List of registry updates. from contains the registry to replace. to contains the new registry to use.

policies.update-automountserviceaccounttokens-default📜

Type: object

Default value
enabled: false

Description: List of namespaces to explictly disable mounting the serviceaccount token

policies.update-automountserviceaccounttokens📜

Type: object

Default value
enabled: false

Description: List pods to explictly enable mounting the serviceaccount token

additionalPolicies📜

Type: object

Default value
samplePolicy:
  annotations:
    policies.kyverno.io/category: Examples
    policies.kyverno.io/description: This sample policy blocks pods from deploying
      into the 'default' namespace.
    policies.kyverno.io/severity: low
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/title: Sample Policy
  enabled: false
  kind: ClusterPolicy
  namespace: ''
  spec:
    rules:
    - match:
        any:
        - resources:
            kinds:
            - Pods
      name: sample-rule
      validate:
        message: Using 'default' namespace is not allowed.
        pattern:
          metadata:
            namespace: '!default'

Description: Adds custom policies. See https://kyverno.io/docs/writing-policies/.

additionalPolicies.samplePolicy📜

Type: object

Default value
annotations:
  policies.kyverno.io/category: Examples
  policies.kyverno.io/description: This sample policy blocks pods from deploying into
    the 'default' namespace.
  policies.kyverno.io/severity: low
  policies.kyverno.io/subject: Pod
  policies.kyverno.io/title: Sample Policy
enabled: false
kind: ClusterPolicy
namespace: ''
spec:
  rules:
  - match:
      any:
      - resources:
          kinds:
          - Pods
    name: sample-rule
    validate:
      message: Using 'default' namespace is not allowed.
      pattern:
        metadata:
          namespace: '!default'

Description: Name of the policy. Addtional policies can be added by adding a key.

additionalPolicies.samplePolicy.enabled📜

Type: bool

Default value
false

Description: Controls policy deployment

additionalPolicies.samplePolicy.kind📜

Type: string

Default value
"ClusterPolicy"

Description: Kind of policy. Currently, “ClusterPolicy” and “Policy” are supported.

additionalPolicies.samplePolicy.namespace📜

Type: string

Default value
""

Description: If kind is “Policy”, which namespace to target. The namespace must already exist.

additionalPolicies.samplePolicy.annotations📜

Type: object

Default value
policies.kyverno.io/category: Examples
policies.kyverno.io/description: This sample policy blocks pods from deploying into
  the 'default' namespace.
policies.kyverno.io/severity: low
policies.kyverno.io/subject: Pod
policies.kyverno.io/title: Sample Policy

Description: Policy annotations to add

additionalPolicies.samplePolicy.annotations.”policies.kyverno.io/title”📜

Type: string

Default value
"Sample Policy"

Description: Human readable name of policy

additionalPolicies.samplePolicy.annotations.”policies.kyverno.io/category”📜

Type: string

Default value
"Examples"

Description: Category of policy. Arbitrary.

additionalPolicies.samplePolicy.annotations.”policies.kyverno.io/severity”📜

Type: string

Default value
"low"

Description: Severity of policy if a violation occurs. Choose “critical”, “high”, “medium”, “low”.

additionalPolicies.samplePolicy.annotations.”policies.kyverno.io/subject”📜

Type: string

Default value
"Pod"

Description: Type of resource policy applies to (e.g. Pod, Service, Namespace)

additionalPolicies.samplePolicy.annotations.”policies.kyverno.io/description”📜

Type: string

Default value
"This sample policy blocks pods from deploying into the 'default' namespace."

Description: Description of what the policy does, why it is important, and what items are allowed or unallowed.

additionalPolicies.samplePolicy.spec📜

Type: object

Default value
rules:
- match:
    any:
    - resources:
        kinds:
        - Pods
  name: sample-rule
  validate:
    message: Using 'default' namespace is not allowed.
    pattern:
      metadata:
        namespace: '!default'

Description: Policy specification. See kubectl explain clusterpolicies.spec

additionalPolicies.samplePolicy.spec.rules📜

Type: list

Default value
- match:
    any:
    - resources:
        kinds:
        - Pods
  name: sample-rule
  validate:
    message: Using 'default' namespace is not allowed.
    pattern:
      metadata:
        namespace: '!default'

Description: Policy rules. At least one is required

istio📜

Type: object

Default value
enabled: false

Description: BigBang Istio Toggle and Configuration

bbtests📜

Type: object

Default value
enabled: false
imagePullSecret: private-registry
scripts:
  additionalVolumeMounts:
  - mountPath: /yaml
    name: kyverno-policies-bbtest-manifests
  - mountPath: /.kube/cache
    name: kyverno-policies-bbtest-kube-cache
  additionalVolumes:
  - configMap:
      name: kyverno-policies-bbtest-manifests
    name: kyverno-policies-bbtest-manifests
  - emptyDir: {}
    name: kyverno-policies-bbtest-kube-cache
  envs:
    ENABLED_POLICIES: '{{ $p := list }}{{ range $k, $v := .Values.policies }}{{ if
      $v.enabled }}{{ $p = append $p $k }}{{ end }}{{ end }}{{ join " " $p }}'
    IMAGE_PULL_SECRET: '{{ .Values.bbtests.imagePullSecret }}'
  image: registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.6

Description: Reserved values for Big Bang test automation

waitJob.enabled📜

Type: bool

Default value
true

waitJob.kind📜

Type: string

Default value
"ClusterRole"

waitJob.scripts.image📜

Type: string

Default value
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.6"

waitJob.permissions.apiGroups[0]📜

Type: string

Default value
"kyverno.io"

waitJob.permissions.resources[0]📜

Type: string

Default value
"clusterpolicies"

waitJob.permissions.resources[1]📜

Type: string

Default value
"policies"