kyverno-policies values.yaml📜
enabled📜
Type: bool
true
Description: Enable policy deployments
validationFailureAction📜
Type: string
""
Description: Override all policies’ validation failure action with “Audit” or “Enforce”. If blank, uses policy setting.
failurePolicy📜
Type: string
"Fail"
Description: API server behavior if the webhook fails to respond (‘Ignore’, ‘Fail’) For more info: https://kyverno.io/docs/policy-types/cluster-policy/policy-settings/
background📜
Type: bool
true
Description: Policies background mode
kyvernoVersion📜
Type: string
"autodetect"
Description: Kyverno version The default of “autodetect” will try to determine the currently installed version from the deployment
webhookTimeoutSeconds📜
Type: int
30
Description: Override all policies’ time to wait for admission webhook to respond. If blank, uses policy setting or default (10). Range is 1 to 30.
exclude📜
Type: object
any:
- resources:
namespaces:
- kube-system
Description: Adds an exclusion to all policies. This is merged with any policy-specific excludes. See https://kyverno.io/docs/policy-types/cluster-policy/policy-rules/ for fields.
excludeContainers📜
Type: list
[]
Description: Adds an excludeContainers to all policies. This is merged with any policy-specific excludeContainers.
autogenControllers📜
Type: string
"Deployment,ReplicaSet,DaemonSet,StatefulSet"
Description: Customize the target Pod controllers for the auto-generated rules. (Eg. none, Deployment, DaemonSet,Deployment,StatefulSet) For more info https://kyverno.io/docs/policy-types/cluster-policy/autogen/.
customLabels📜
Type: object
{}
Description: Additional labels to apply to all policies.
policyPreconditions📜
Type: object
{}
Description: Add preconditions to individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the policyPreconditions map.
policies.sample📜
Type: object
enabled: false
exclude: {}
match: {}
parameters:
excludeContainers: []
validationFailureAction: Audit
webhookTimeoutSeconds: ''
Description: Sample policy showing values that can be added to any policy
policies.sample.enabled📜
Type: bool
false
Description: Controls policy deployment
policies.sample.validationFailureAction📜
Type: string
"Audit"
Description: Controls if a validation policy rule failure should disallow (Enforce) or allow (Audit) the admission
policies.sample.webhookTimeoutSeconds📜
Type: string
""
Description: Specifies the maximum time in seconds allowed to apply this policy. Default is 10. Range is 1 to 30.
policies.sample.match📜
Type: object
{}
Description: Defines when this policy’s rules should be applied. This completely overrides any default matches.
policies.sample.exclude📜
Type: object
{}
Description: Defines when this policy’s rules should not be applied. This completely overrides any default excludes.
policies.sample.parameters📜
Type: object
excludeContainers: []
Description: Policy specific parameters that are added to the configMap for the policy rules
policies.sample.parameters.excludeContainers📜
Type: list
[]
Description: Adds a container exclusion (by name) to a specific policy. This is merged with any global excludeContainers.
policies.block-ephemeral-containers.enabled📜
Type: bool
true
policies.block-ephemeral-containers.validationFailureAction📜
Type: string
"Enforce"
policies.clone-configs📜
Type: object
enabled: false
generateExisting: false
parameters:
clone: []
Description: Clone existing configMap or secret in new Namespaces
policies.clone-configs.parameters.clone📜
Type: list
[]
Description: ConfigMap or Secrets that should be cloned. Each item requres the kind, name, and namespace of the resource to clone
policies.disallow-annotations📜
Type: object
enabled: false
parameters:
disallow: []
validationFailureAction: Audit
Description: Prevent specified annotations on pods
policies.disallow-annotations.parameters.disallow📜
Type: list
[]
Description: List of annotations disallowed on pods. Entries can be just a “key”, or a quoted “key: value”. Wildcards ‘*’ and ‘?’ are supported.
policies.disallow-deprecated-apis📜
Type: object
enabled: true
validationFailureAction: Audit
Description: Prevent resources that use deprecated or removed APIs (through Kubernetes 1.26)
policies.disallow-host-namespaces📜
Type: object
enabled: true
validationFailureAction: Enforce
Description: Prevent use of the host namespace (PID, IPC, Network) by pods
policies.disallow-image-tags📜
Type: object
enabled: true
parameters:
disallow:
- latest
validationFailureAction: Enforce
Description: Prevent container images with specified tags. Also, requires images to have a tag.
policies.disallow-istio-injection-bypass📜
Type: object
enabled: false
validationFailureAction: Audit
Description: Prevent the sidecar.istio.io/inject: false label on pods.
policies.disallow-labels📜
Type: object
enabled: false
parameters:
disallow: []
validationFailureAction: Audit
Description: Prevent specified labels on pods
policies.disallow-labels.parameters.disallow📜
Type: list
[]
Description: List of labels disallowed on pods. Entries can be just a “key”, or a quoted “key: value”. Wildcards ‘*’ and ‘?’ are supported.
policies.disallow-namespaces📜
Type: object
enabled: true
parameters:
disallow:
- default
validationFailureAction: Enforce
Description: Prevent pods from using the listed namespaces
policies.disallow-namespaces.parameters.disallow📜
Type: list
- default
Description: List of namespaces to deny pod deployment
policies.disallow-nodeport-services📜
Type: object
enabled: true
validationFailureAction: Enforce
Description: Prevent services of the type NodePort
policies.disallow-pod-exec📜
Type: object
enabled: false
validationFailureAction: Audit
Description: Prevent the use of exec or attach on pods
policies.disallow-privilege-escalation📜
Type: object
enabled: true
validationFailureAction: Enforce
Description: Prevent privilege escalation on pods
policies.disallow-auto-mount-service-account-token📜
Type: object
enabled: true
validationFailureAction: Audit
Description: Prevent Automounting of Kubernetes API Credentials on Pods and Service Accounts
policies.disallow-privileged-containers📜
Type: object
enabled: true
validationFailureAction: Enforce
Description: Prevent containers that run as privileged
policies.disallow-selinux-options📜
Type: object
enabled: true
parameters:
disallow:
- user
- role
validationFailureAction: Enforce
Description: Prevent specified SELinux options from being used on pods.
policies.disallow-selinux-options.parameters.disallow📜
Type: list
- user
- role
Description: List of selinux options that are not allowed. Valid values include level, role, type, and user. Defaults pulled from https://kubernetes.io/docs/concepts/security/pod-security-standards
policies.disallow-tolerations📜
Type: object
enabled: false
parameters:
disallow:
- key: node-role.kubernetes.io/master
validationFailureAction: Audit
Description: Prevent tolerations that bypass specified taints
policies.disallow-tolerations.parameters.disallow📜
Type: list
- key: node-role.kubernetes.io/master
Description: List of taints to protect from toleration. Each entry can have key, value, and/or effect. Wildcards ‘*’ and ‘?’ can be used If key, value, or effect are not defined, they are ignored in the policy rule
policies.disallow-rbac-on-default-serviceaccounts📜
Type: object
enabled: false
exclude:
any:
- resources:
name: system:service-account-issuer-discovery
validationFailureAction: Audit
Description: Prevent additional RBAC permissions on default service accounts
policies.require-annotations📜
Type: object
enabled: false
parameters:
require: []
validationFailureAction: Audit
Description: Require specified annotations on all pods
policies.require-annotations.parameters.require📜
Type: list
[]
Description: List of annotations required on all pods. Entries can be just a “key”, or a quoted “key: value”. Wildcards ‘*’ and ‘?’ are supported.
policies.require-cpu-limit📜
Type: object
enabled: false
parameters:
require:
- <10
validationFailureAction: Audit
Description: Require containers have CPU limits defined and within the specified range
policies.require-drop-all-capabilities📜
Type: object
enabled: true
validationFailureAction: Enforce
Description: Requires containers to drop all Linux capabilities
policies.require-image-signature📜
Type: object
enabled: false
parameters:
require:
- attestors:
- count: 1
entries:
- keys:
ctlog:
ignoreSCT: true
publicKeys: '-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtQDv69q1kyiogpxvIVjh
eNMLsI1GTLm+BuLWJN2rq4AA4k3+I7WqdvA1tKJ218DyXExljI3NTD4J5BnLeB6y
WDvnTPXVu+pNj9W7Az0uyD73/WsMV1QR5VEzWMdMz+ZnN8IGd4JFl9p2N21YBD1R
Y93+K4XgrZ/iSRk+mGBAs87UpF1ku/nru0H2+XwJtoV7pLrrai/pLdQeRh5Ogg9J
z5qHer9EnZne6eBnZedvpf7bqfRt0Fqqk0pTzLQm4oFD3HnxdJUPt9ccoPx0IyF0
rB01a53LBTeRXeUcHd5BpwhwgkIm2insbDIp+lBKjUfq4CfqRQcXLLUgtRUij6ke
QfD7jgI9chBxbVE1U5Mc/RgftXuVGQzx1OrjenD4wIH4whtP1abTg6XLxqjgkgqq
EJy5kUpv+ut0n1RBiIdH6wYXDum90fq4qQl+gHaER0bOYAQTCIFRrhrWJ8Qxj4uL
xI+O5KgLX3TanMtfE7e2A86uzxiHBxEW4+AF2IMXuLviIQKc9z+/p93psfQ9nXXj
B5i6qFWkF0BMuWibB8e+HHWRKLfNWXGdfLraoMPKwCrJWhYQ+8SRrqR+gbSNWbEM
VardcwrQZ7NP7KIedquYQnfJ3ukbYikKgdBovGStFEPLaKKiYJiD5UIQhZ51SDdA
k+PgLW7CzKW4u2+WLdjfalkCAwEAAQ==
-----END PUBLIC KEY-----'
rekor:
ignoreTlog: true
url: ''
imageReferences:
- registry1.dso.mil/ironbank/*
mutateDigest: false
verifyDigest: false
validationFailureAction: Audit
Description: Require specified images to be signed and verified
policies.require-image-signature.parameters.require📜
Type: list
- attestors:
- count: 1
entries:
- keys:
ctlog:
ignoreSCT: true
publicKeys: '-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtQDv69q1kyiogpxvIVjh
eNMLsI1GTLm+BuLWJN2rq4AA4k3+I7WqdvA1tKJ218DyXExljI3NTD4J5BnLeB6y
WDvnTPXVu+pNj9W7Az0uyD73/WsMV1QR5VEzWMdMz+ZnN8IGd4JFl9p2N21YBD1R
Y93+K4XgrZ/iSRk+mGBAs87UpF1ku/nru0H2+XwJtoV7pLrrai/pLdQeRh5Ogg9J
z5qHer9EnZne6eBnZedvpf7bqfRt0Fqqk0pTzLQm4oFD3HnxdJUPt9ccoPx0IyF0
rB01a53LBTeRXeUcHd5BpwhwgkIm2insbDIp+lBKjUfq4CfqRQcXLLUgtRUij6ke
QfD7jgI9chBxbVE1U5Mc/RgftXuVGQzx1OrjenD4wIH4whtP1abTg6XLxqjgkgqq
EJy5kUpv+ut0n1RBiIdH6wYXDum90fq4qQl+gHaER0bOYAQTCIFRrhrWJ8Qxj4uL
xI+O5KgLX3TanMtfE7e2A86uzxiHBxEW4+AF2IMXuLviIQKc9z+/p93psfQ9nXXj
B5i6qFWkF0BMuWibB8e+HHWRKLfNWXGdfLraoMPKwCrJWhYQ+8SRrqR+gbSNWbEM
VardcwrQZ7NP7KIedquYQnfJ3ukbYikKgdBovGStFEPLaKKiYJiD5UIQhZ51SDdA
k+PgLW7CzKW4u2+WLdjfalkCAwEAAQ==
-----END PUBLIC KEY-----'
rekor:
ignoreTlog: true
url: ''
imageReferences:
- registry1.dso.mil/ironbank/*
mutateDigest: false
verifyDigest: false
Description: List of images that must be signed and the public key to verify. Use kubectl explain clusterpolicy.spec.rules.verifyImages for fields.
policies.require-istio-on-namespaces📜
Type: object
enabled: false
validationFailureAction: Audit
Description: Require Istio sidecar injection label on namespaces
policies.require-labels📜
Type: object
enabled: true
parameters:
require:
- app.kubernetes.io/name
- app.kubernetes.io/instance
- app.kubernetes.io/version
validationFailureAction: Audit
Description: Require specified labels to be on all pods
policies.require-labels.parameters.require📜
Type: list
- app.kubernetes.io/name
- app.kubernetes.io/instance
- app.kubernetes.io/version
Description: List of labels required on all pods. Entries can be just a “key”, or a quoted “key: value”. Wildcards ‘*’ and ‘?’ are supported. See https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/#labels See https://helm.sh/docs/chart_best_practices/labels/#standard-labels
policies.require-memory-limit📜
Type: object
enabled: false
parameters:
require:
- <64Gi
validationFailureAction: Audit
Description: Require containers have memory limits defined and within the specified range
policies.add-default-securitycontext📜
Type: object
enabled: true
validationFailureAction: Enforce
Description: This policy will mutate a Pod to set runAsNonRoot, runAsUser, runAsGroup, and fsGroup fields within the Pod securityContext if they are not already set.
policies.require-non-root-group📜
Type: object
enabled: true
validationFailureAction: Enforce
Description: Require containers to run with non-root group
policies.require-non-root-user📜
Type: object
enabled: true
validationFailureAction: Enforce
Description: Require containers to run as non-root user
policies.require-probes📜
Type: object
enabled: false
parameters:
require:
- readinessProbe
- livenessProbe
validationFailureAction: Audit
Description: Require specified probes on pods
policies.require-probes.parameters.require📜
Type: list
- readinessProbe
- livenessProbe
Description: List of probes that are required on pods. Valid values are readinessProbe, livenessProbe, and startupProbe.
policies.require-requests-equal-limits📜
Type: object
enabled: false
validationFailureAction: Audit
Description: Require CPU and memory requests equal limits for guaranteed quality of service
policies.require-ro-rootfs📜
Type: object
enabled: false
validationFailureAction: Audit
Description: Require containers set root filesystem to read-only
policies.restrict-apparmor📜
Type: object
enabled: true
parameters:
allow:
- runtime/default
- localhost/*
validationFailureAction: Enforce
Description: Restricts pods that use AppArmor to specified profiles
policies.restrict-apparmor.parameters.allow📜
Type: list
- runtime/default
- localhost/*
Description: List of allowed AppArmor profiles Defaults pulled from https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline
policies.restrict-external-ips📜
Type: object
enabled: true
parameters:
allow: []
validationFailureAction: Enforce
Description: Restrict services with External IPs to a specified list (CVE-2020-8554)
policies.restrict-external-ips.parameters.allow📜
Type: list
[]
Description: List of external IPs allowed in services. Must be an IP address. Use the wildcard ?* to support subnets (e.g. 192.168.0.?*)
policies.restrict-external-names📜
Type: object
enabled: true
parameters:
allow: []
validationFailureAction: Enforce
Description: Restrict services with External Names to a specified list (CVE-2020-8554)
policies.restrict-external-names.parameters.allow📜
Type: list
[]
Description: List of external names allowed in services. Must be a lowercase RFC-1123 hostname.
policies.restrict-capabilities📜
Type: object
enabled: true
parameters:
allow:
- NET_BIND_SERVICE
validationFailureAction: Enforce
Description: Restrict Linux capabilities added to containers to the specified list
policies.restrict-capabilities.parameters.allow📜
Type: list
- NET_BIND_SERVICE
Description: List of capabilities that are allowed to be added Defaults pulled from https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted See https://man7.org/linux/man-pages/man7/capabilities.7.html for list of capabilities. The CAP_ prefix is removed in Kubernetes names.
policies.restrict-group-id📜
Type: object
enabled: false
parameters:
allow:
- '>=1000'
validationFailureAction: Audit
Description: Restrict container group IDs to specified ranges NOTE: Using require-non-root-group will force runAsGroup to be defined
policies.restrict-host-path-mount📜
Type: object
enabled: true
parameters:
allow: []
validationFailureAction: Enforce
Description: Restrict the paths that can be mounted by hostPath volumes to the allowed list. HostPath volumes are normally disallowed. If exceptions are made, the path(s) should be restricted.
policies.restrict-host-path-mount.parameters.allow📜
Type: list
[]
Description: List of allowed paths for hostPath volumes to mount
policies.restrict-host-path-mount-pv.enabled📜
Type: bool
true
policies.restrict-host-path-mount-pv.validationFailureAction📜
Type: string
"Enforce"
policies.restrict-host-path-mount-pv.parameters.allow📜
Type: list
[]
Description: List of allowed paths for hostPath volumes to mount
policies.restrict-host-path-write📜
Type: object
enabled: true
parameters:
allow: []
validationFailureAction: Enforce
Description: Restrict the paths that can be mounted as read/write by hostPath volumes to the allowed list. HostPath volumes, if allowed, should normally be mounted as read-only. If exceptions are made, the path(s) should be restricted.
policies.restrict-host-path-write.parameters.allow📜
Type: list
[]
Description: List of allowed paths for hostPath volumes to mount as read/write
policies.restrict-host-ports📜
Type: object
enabled: true
parameters:
allow: []
validationFailureAction: Enforce
Description: Restrict host ports in containers to the specified list
policies.restrict-host-ports.parameters.allow📜
Type: list
[]
Description: List of allowed host ports
policies.restrict-image-registries📜
Type: object
enabled: true
parameters:
allow:
- registry1.dso.mil
- registry.dso.mil
validationFailureAction: Enforce
Description: Restricts container images to registries in the specified list
policies.restrict-image-registries.parameters.allow📜
Type: list
- registry1.dso.mil
- registry.dso.mil
Description: List of allowed registries that images may use
policies.restrict-proc-mount📜
Type: object
enabled: true
parameters:
allow:
- Default
validationFailureAction: Enforce
Description: Restrict mounting /proc to the specified mask
policies.restrict-proc-mount.parameters.allow📜
Type: list
- Default
Description: List of allowed proc mount values. Valid values are Default and Unmasked. Defaults pulled from https://kubernetes.io/docs/concepts/security/pod-security-standards
policies.restrict-seccomp📜
Type: object
enabled: true
parameters:
allow:
- RuntimeDefault
- Localhost
validationFailureAction: Enforce
Description: Restrict seccomp profiles to the specified list
policies.restrict-seccomp.parameters.allow📜
Type: list
- RuntimeDefault
- Localhost
Description: List of allowed seccomp profiles. Valid values are Localhost, RuntimeDefault, and Unconfined Defaults pulled from https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
policies.restrict-selinux-type📜
Type: object
enabled: true
parameters:
allow:
- container_t
- container_init_t
- container_kvm_t
validationFailureAction: Enforce
Description: Restrict SELinux types to the specified list.
policies.restrict-selinux-type.parameters.allow📜
Type: list
- container_t
- container_init_t
- container_kvm_t
Description: List of allowed values for the type field Defaults pulled from https://kubernetes.io/docs/concepts/security/pod-security-standards
policies.restrict-sysctls📜
Type: object
enabled: true
parameters:
allow:
- kernel.shm_rmid_forced
- net.ipv4.ip_local_port_range
- net.ipv4.ip_unprivileged_port_start
- net.ipv4.tcp_syncookies
- net.ipv4.ping_group_range
- net.ipv4.ip_local_reserved_ports
- net.ipv4.tcp_keepalive_time
- net.ipv4.tcp_fin_timeout
- net.ipv4.tcp_keepalive_intvl
- net.ipv4.tcp_keepalive_probes
validationFailureAction: Enforce
Description: Restrict sysctls to the specified list
policies.restrict-sysctls.parameters.allow📜
Type: list
- kernel.shm_rmid_forced
- net.ipv4.ip_local_port_range
- net.ipv4.ip_unprivileged_port_start
- net.ipv4.tcp_syncookies
- net.ipv4.ping_group_range
- net.ipv4.ip_local_reserved_ports
- net.ipv4.tcp_keepalive_time
- net.ipv4.tcp_fin_timeout
- net.ipv4.tcp_keepalive_intvl
- net.ipv4.tcp_keepalive_probes
Description: List of allowed sysctls. Defaults pulled from https://kubernetes.io/docs/concepts/security/pod-security-standards
policies.restrict-user-id📜
Type: object
enabled: false
parameters:
allow:
- '>=1000'
validationFailureAction: Audit
Description: Restrict user IDs to the specified ranges NOTE: Using require-non-root-user will force runAsUser to be defined
policies.restrict-volume-types📜
Type: object
enabled: true
parameters:
allow:
- configMap
- csi
- downwardAPI
- emptyDir
- ephemeral
- persistentVolumeClaim
- projected
- secret
validationFailureAction: Enforce
Description: Restrict the volume types to the specified list
policies.restrict-volume-types.parameters.allow📜
Type: list
- configMap
- csi
- downwardAPI
- emptyDir
- ephemeral
- persistentVolumeClaim
- projected
- secret
Description: List of allowed Volume types. Valid values are the volume types listed here: https://kubernetes.io/docs/concepts/storage/volumes/#volume-types Defaults pulled from https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
policies.update-image-pull-policy📜
Type: object
enabled: false
parameters:
update:
- to: Always
Description: Updates the image pull policy on containers
policies.update-image-pull-policy.parameters.update📜
Type: list
- to: Always
Description: List of image pull policy updates. from contains the pull policy value to replace. If from is blank, it matches everything. to contains the new pull policy to use. Must be one of Always, Never, or IfNotPresent.
policies.update-image-registry📜
Type: object
enabled: false
parameters:
update: []
Description: Updates an existing image registry with a new registry in containers (e.g. proxy)
policies.update-image-registry.parameters.update📜
Type: list
[]
Description: List of registry updates. from contains the registry to replace. to contains the new registry to use.
policies.update-automountserviceaccounttokens-default📜
Type: object
enabled: false
Description: List of namespaces to explictly disable mounting the serviceaccount token
policies.update-automountserviceaccounttokens📜
Type: object
enabled: false
Description: Namespace-scoped ServiceAccount hardening and Pod allow/deny exceptions. Omit serviceAccounts to match all ServiceAccounts in a namespace.
celPoliciesBeta📜
Type: object
add-default-capability-drop-cel:
enabled: false
add-default-securitycontext-cel:
enabled: false
parameters:
fsGroup: 65534
runAsGroup: 65534
runAsNonRoot: true
runAsUser: 65534
autogenControllers: ''
background: ''
block-ephemeral-containers-cel:
enabled: false
validationFailureAction: ''
clone-configs-cel:
enabled: false
generateExisting: false
parameters:
clone: []
synchronize: true
disallow-annotations-cel:
enabled: false
parameters:
disallow: []
validationFailureAction: ''
disallow-auto-mount-service-account-token-cel:
enabled: false
validationFailureAction: ''
disallow-deprecated-apis-cel:
enabled: false
validationFailureAction: ''
disallow-host-namespaces-cel:
enabled: false
validationFailureAction: ''
disallow-image-tags-cel:
enabled: false
parameters:
disallow:
- latest
validationFailureAction: ''
disallow-istio-injection-bypass-cel:
enabled: false
validationFailureAction: ''
disallow-labels-cel:
enabled: false
parameters:
disallow: []
validationFailureAction: ''
disallow-namespaces-cel:
autogenControllers: Deployment,ReplicaSet,DaemonSet,StatefulSet,Job,CronJob
enabled: false
parameters:
disallow:
- default
validationFailureAction: ''
disallow-nodeport-services-cel:
enabled: false
validationFailureAction: ''
disallow-privilege-escalation-cel:
enabled: false
validationFailureAction: ''
disallow-privileged-containers-cel:
enabled: false
validationFailureAction: ''
disallow-selinux-options-cel:
enabled: false
parameters:
disallow:
- user
- role
validationFailureAction: ''
excludeContainers: []
excludeNamespaces: []
mpolFailurePolicy: ''
require-annotations-cel:
enabled: false
parameters:
require: []
validationFailureAction: ''
require-cpu-limit-cel:
enabled: false
parameters:
maxCPU: '10'
validationFailureAction: ''
require-drop-all-capabilities-cel:
enabled: false
validationFailureAction: ''
require-istio-on-namespaces-cel:
enabled: false
validationFailureAction: ''
require-labels-cel:
enabled: false
parameters:
require: []
validationFailureAction: ''
require-memory-limit-cel:
enabled: false
parameters:
maxMemory: 64Gi
validationFailureAction: ''
require-non-root-group-cel:
enabled: false
validationFailureAction: ''
require-non-root-user-cel:
enabled: false
validationFailureAction: ''
require-probes-cel:
autogenControllers: DaemonSet,Deployment,StatefulSet
enabled: false
parameters:
livenessProbe: true
readinessProbe: true
startupProbe: false
validationFailureAction: ''
require-ro-rootfs-cel:
enabled: false
validationFailureAction: ''
restrict-external-ips-cel:
enabled: false
parameters:
allow: []
validationFailureAction: ''
restrict-external-names-cel:
enabled: false
parameters:
allow: []
validationFailureAction: ''
restrict-image-registries-cel:
enabled: false
parameters:
allow: []
validationFailureAction: ''
restrict-proc-mount-cel:
enabled: false
parameters:
default: true
unmasked: false
validationFailureAction: ''
restrict-seccomp-cel:
enabled: false
parameters:
localhost: true
runtimeDefault: true
unconfined: false
validationFailureAction: ''
restrict-sysctls-cel:
enabled: false
parameters:
allow:
- kernel\.shm_rmid_forced
- net\.ipv4\.ip_local_port_range
- net\.ipv4\.ip_unprivileged_port_start
- net\.ipv4\.tcp_syncookies
- net\.ipv4\.ping_group_range
- net\.ipv4\.ip_local_reserved_ports
- net\.ipv4\.tcp_keepalive_time
- net\.ipv4\.tcp_fin_timeout
- net\.ipv4\.tcp_keepalive_intvl
- net\.ipv4\.tcp_keepalive_probes
validationFailureAction: ''
restrict-volume-types-cel:
enabled: false
parameters:
allow:
- configMap
- csi
- downwardAPI
- emptyDir
- ephemeral
- persistentVolumeClaim
- projected
- secret
validationFailureAction: ''
update-automountserviceaccounttokens-cel:
autogenControllers: Deployment,StatefulSet
enabled: false
vpolFailurePolicy: ''
webhookTimeoutSeconds: ''
Description: Policies with no tunables omit the parameters key entirely.
celPoliciesBeta.vpolFailurePolicy📜
Type: string
""
Description: and we have a clearer picture of the shared vs kind-specific config surface.
celPoliciesBeta.mpolFailurePolicy📜
Type: string
""
Description: explicit during migration. See vpolFailurePolicy comment for consolidation plan.
celPoliciesBeta.background📜
Type: string
""
Description: Background scanning (true/false). Empty = falls through to top-level .Values.background.
celPoliciesBeta.webhookTimeoutSeconds📜
Type: string
""
Description: Webhook timeout 1-30s. Empty = falls through to top-level .Values.webhookTimeoutSeconds.
celPoliciesBeta.autogenControllers📜
Type: string
""
Description: Autogen controller list. Same comma-separated CamelCase format as top-level. Empty = falls through to top-level .Values.autogenControllers.
celPoliciesBeta.excludeNamespaces📜
Type: list
[]
Description: subjects, roles), use per-policy matchConditions with CEL expressions.
celPoliciesBeta.excludeContainers📜
Type: list
[]
Description: Merged with per-policy excludeContainers. CEL equivalent of top-level .Values.excludeContainers.
celPoliciesBeta.add-default-capability-drop-cel📜
Type: object
enabled: false
Description: Add default capability drops when absent (MutatingPolicy) -cel suffix avoids name collision with the CPol during migration
celPoliciesBeta.add-default-securitycontext-cel📜
Type: object
enabled: false
parameters:
fsGroup: 65534
runAsGroup: 65534
runAsNonRoot: true
runAsUser: 65534
Description: Add default pod securityContext fields when absent (MutatingPolicy) -cel suffix avoids name collision with the CPol during migration
celPoliciesBeta.add-default-securitycontext-cel.parameters.runAsNonRoot📜
Type: bool
true
Description: Default pod securityContext values (applied only when field is absent)
celPoliciesBeta.block-ephemeral-containers-cel📜
Type: object
enabled: false
validationFailureAction: ''
Description: Block ephemeral (debug) containers (VPol) -cel suffix avoids name collision with the CPol during migration
celPoliciesBeta.block-ephemeral-containers-cel.validationFailureAction📜
Type: string
""
Description: Empty string falls through to the global validationFailureAction
celPoliciesBeta.clone-configs-cel📜
Type: object
enabled: false
generateExisting: false
parameters:
clone: []
synchronize: true
Description: Clone ConfigMaps/Secrets into new namespaces (GeneratingPolicy) -cel suffix avoids name collision with the CPol during migration
celPoliciesBeta.clone-configs-cel.parameters.clone📜
Type: list
[]
Description: ConfigMaps or Secrets to clone. Same structure as the CPol clone-configs policy. When enabled is true, this list must be non-empty or templating fails.
celPoliciesBeta.clone-configs-cel.generateExisting📜
Type: bool
false
Description: Whether to retroactively clone into existing namespaces
celPoliciesBeta.clone-configs-cel.synchronize📜
Type: bool
true
Description: Keep cloned resources in sync with the source
celPoliciesBeta.disallow-annotations-cel📜
Type: object
enabled: false
parameters:
disallow: []
validationFailureAction: ''
Description: Disallow specified annotations on all pods (VPol) -cel suffix avoids name collision with the CPol during migration
celPoliciesBeta.disallow-annotations-cel.validationFailureAction📜
Type: string
""
Description: Empty string falls through to the global validationFailureAction
celPoliciesBeta.disallow-annotations-cel.parameters.disallow📜
Type: list
[]
Description: Annotations disallowed on all pods. Each entry has a key (RE2 regex) and an optional value (RE2 regex). Both are auto-anchored with ^ and $. If value is omitted, any pod with a matching key is rejected regardless of value.
celPoliciesBeta.disallow-deprecated-apis-cel📜
Type: object
enabled: false
validationFailureAction: ''
Description: Disallow deprecated Kubernetes APIs (VPol) -cel suffix avoids name collision with the CPol during migration
celPoliciesBeta.disallow-deprecated-apis-cel.validationFailureAction📜
Type: string
""
Description: Empty string falls through to the global validationFailureAction
celPoliciesBeta.disallow-auto-mount-service-account-token-cel📜
Type: object
enabled: false
validationFailureAction: ''
Description: Prevent automounting of Kubernetes API credentials on Pods and ServiceAccounts (VPol) -cel suffix avoids name collision with the CPol during migration
celPoliciesBeta.disallow-auto-mount-service-account-token-cel.validationFailureAction📜
Type: string
""
Description: Empty string falls through to the global validationFailureAction
celPoliciesBeta.disallow-host-namespaces-cel📜
Type: object
enabled: false
validationFailureAction: ''
Description: Disallow host namespaces (VPol) -cel suffix avoids name collision with the CPol during migration
celPoliciesBeta.disallow-host-namespaces-cel.validationFailureAction📜
Type: string
""
Description: Empty string falls through to the global validationFailureAction
celPoliciesBeta.disallow-image-tags-cel📜
Type: object
enabled: false
parameters:
disallow:
- latest
validationFailureAction: ''
Description: Disallow specified image tags on container images (VPol) -cel suffix avoids name collision with the CPol during migration
celPoliciesBeta.disallow-image-tags-cel.validationFailureAction📜
Type: string
""
Description: Empty string falls through to the global validationFailureAction
celPoliciesBeta.disallow-image-tags-cel.parameters.disallow📜
Type: list
- latest
Description: Image tags disallowed on every container. Match is exact and case-sensitive; an image is rejected if it ends with :<tag> for any entry. Empty list keeps only the require-tag check active.
celPoliciesBeta.disallow-istio-injection-bypass-cel📜
Type: object
enabled: false
validationFailureAction: ''
Description: Disallow Istio sidecar injection bypass (VPol) -cel suffix avoids name collision with the CPol during migration
celPoliciesBeta.disallow-istio-injection-bypass-cel.validationFailureAction📜
Type: string
""
Description: Empty string falls through to the global validationFailureAction
celPoliciesBeta.disallow-labels-cel📜
Type: object
enabled: false
parameters:
disallow: []
validationFailureAction: ''
Description: Disallow specified labels on all pods (VPol) -cel suffix avoids name collision with the CPol during migration
celPoliciesBeta.disallow-labels-cel.validationFailureAction📜
Type: string
""
Description: Empty string falls through to the global validationFailureAction
celPoliciesBeta.disallow-labels-cel.parameters.disallow📜
Type: list
[]
Description: Labels disallowed on all pods. Each entry has a key (RE2 regex) and an optional value (RE2 regex). Both are auto-anchored with ^ and $. If value is omitted, any pod with a matching key is rejected regardless of value.
celPoliciesBeta.disallow-namespaces-cel📜
Type: object
autogenControllers: Deployment,ReplicaSet,DaemonSet,StatefulSet,Job,CronJob
enabled: false
parameters:
disallow:
- default
validationFailureAction: ''
Description: Disallow workloads in specified namespaces (VPol) -cel suffix avoids name collision with the CPol during migration
celPoliciesBeta.disallow-namespaces-cel.validationFailureAction📜
Type: string
""
Description: Empty string falls through to the global validationFailureAction
celPoliciesBeta.disallow-namespaces-cel.autogenControllers📜
Type: string
"Deployment,ReplicaSet,DaemonSet,StatefulSet,Job,CronJob"
Description: Default autogen list adds Job and CronJob so workload kinds the CPol matched directly are still covered.
celPoliciesBeta.disallow-namespaces-cel.parameters.disallow📜
Type: list
- default
Description: Namespace names workloads must not be deployed into. Match is exact.
celPoliciesBeta.disallow-nodeport-services-cel📜
Type: object
enabled: false
validationFailureAction: ''
Description: Disallow NodePort Services (VPol) -cel suffix avoids name collision with the CPol during migration
celPoliciesBeta.disallow-nodeport-services-cel.validationFailureAction📜
Type: string
""
Description: Empty string falls through to the global validationFailureAction
celPoliciesBeta.disallow-privilege-escalation-cel📜
Type: object
enabled: false
validationFailureAction: ''
Description: Disallow privilege escalation on containers (VPol) -cel suffix avoids name collision with the CPol during migration
celPoliciesBeta.disallow-privilege-escalation-cel.validationFailureAction📜
Type: string
""
Description: Empty string falls through to the global validationFailureAction
celPoliciesBeta.disallow-privileged-containers-cel📜
Type: object
enabled: false
validationFailureAction: ''
Description: Prevent containers that run as privileged (VPol) -cel suffix avoids name collision with the CPol during migration
celPoliciesBeta.disallow-privileged-containers-cel.validationFailureAction📜
Type: string
""
Description: Empty string falls through to the global validationFailureAction
celPoliciesBeta.disallow-selinux-options-cel📜
Type: object
enabled: false
parameters:
disallow:
- user
- role
validationFailureAction: ''
Description: Disallow specified SELinux options (VPol) -cel suffix avoids name collision with the CPol during migration
celPoliciesBeta.disallow-selinux-options-cel.validationFailureAction📜
Type: string
""
Description: Empty string falls through to the global validationFailureAction
celPoliciesBeta.disallow-selinux-options-cel.parameters.disallow📜
Type: list
- user
- role
Description: SELinux option fields to disallow. Valid values: user, role, type, level. Defaults from https://kubernetes.io/docs/concepts/security/pod-security-standards
celPoliciesBeta.restrict-proc-mount-cel📜
Type: object
enabled: false
parameters:
default: true
unmasked: false
validationFailureAction: ''
Description: Restrict mounting /proc to the specified mask (VPol) -cel suffix avoids name collision with the CPol during migration
celPoliciesBeta.restrict-proc-mount-cel.validationFailureAction📜
Type: string
""
Description: Empty string falls through to the global validationFailureAction
celPoliciesBeta.restrict-proc-mount-cel.parameters.default📜
Type: bool
true
Description: Allow containers to set procMount: Default.
celPoliciesBeta.restrict-proc-mount-cel.parameters.unmasked📜
Type: bool
false
Description: Allow containers to set procMount: Unmasked.
celPoliciesBeta.restrict-seccomp-cel📜
Type: object
enabled: false
parameters:
localhost: true
runtimeDefault: true
unconfined: false
validationFailureAction: ''
Description: Restrict seccomp profile types to the specified list (VPol) -cel suffix avoids name collision with the CPol during migration
celPoliciesBeta.restrict-seccomp-cel.validationFailureAction📜
Type: string
""
Description: Empty string falls through to the global validationFailureAction
celPoliciesBeta.restrict-seccomp-cel.parameters.localhost📜
Type: bool
true
Description: Allow pods and containers to set seccompProfile.type: Localhost.
celPoliciesBeta.restrict-seccomp-cel.parameters.runtimeDefault📜
Type: bool
true
Description: Allow pods and containers to set seccompProfile.type: RuntimeDefault.
celPoliciesBeta.restrict-seccomp-cel.parameters.unconfined📜
Type: bool
false
Description: Allow pods and containers to set seccompProfile.type: Unconfined.
celPoliciesBeta.restrict-sysctls-cel📜
Type: object
enabled: false
parameters:
allow:
- kernel\.shm_rmid_forced
- net\.ipv4\.ip_local_port_range
- net\.ipv4\.ip_unprivileged_port_start
- net\.ipv4\.tcp_syncookies
- net\.ipv4\.ping_group_range
- net\.ipv4\.ip_local_reserved_ports
- net\.ipv4\.tcp_keepalive_time
- net\.ipv4\.tcp_fin_timeout
- net\.ipv4\.tcp_keepalive_intvl
- net\.ipv4\.tcp_keepalive_probes
validationFailureAction: ''
Description: Restrict sysctls to the specified list (VPol) -cel suffix avoids name collision with the CPol during migration
celPoliciesBeta.restrict-sysctls-cel.validationFailureAction📜
Type: string
""
Description: Empty string falls through to the global validationFailureAction
celPoliciesBeta.restrict-sysctls-cel.parameters.allow📜
Type: list
- kernel\.shm_rmid_forced
- net\.ipv4\.ip_local_port_range
- net\.ipv4\.ip_unprivileged_port_start
- net\.ipv4\.tcp_syncookies
- net\.ipv4\.ping_group_range
- net\.ipv4\.ip_local_reserved_ports
- net\.ipv4\.tcp_keepalive_time
- net\.ipv4\.tcp_fin_timeout
- net\.ipv4\.tcp_keepalive_intvl
- net\.ipv4\.tcp_keepalive_probes
Description: List of allowed sysctls as RE2 regex patterns (auto-anchored ^…$). Example: “net\.ipv4\..+” to allow any sysctl under net.ipv4. Defaults pulled from https://kubernetes.io/docs/concepts/security/pod-security-standards
celPoliciesBeta.require-annotations-cel📜
Type: object
enabled: false
parameters:
require: []
validationFailureAction: ''
Description: Require specified annotations on all pods (VPol) -cel suffix avoids name collision with the CPol during migration
celPoliciesBeta.require-annotations-cel.validationFailureAction📜
Type: string
""
Description: Empty string falls through to the global validationFailureAction
celPoliciesBeta.require-annotations-cel.parameters.require📜
Type: list
[]
Description: Annotations required on all pods. Each entry has a key (RE2 regex) and an optional value (RE2 regex). Both are auto-anchored with ^ and $. If value is omitted, any non-empty value is accepted.
celPoliciesBeta.require-cpu-limit-cel📜
Type: object
enabled: false
parameters:
maxCPU: '10'
validationFailureAction: ''
Description: Require containers have CPU limits defined (VPol) -cel suffix avoids name collision with the CPol during migration
celPoliciesBeta.require-cpu-limit-cel.validationFailureAction📜
Type: string
""
Description: Empty string falls through to the global validationFailureAction
celPoliciesBeta.require-cpu-limit-cel.parameters.maxCPU📜
Type: string
"10"
Description: not a tight limit. Set to empty string to disable the upper-bound check.
celPoliciesBeta.require-drop-all-capabilities-cel📜
Type: object
enabled: false
validationFailureAction: ''
Description: Require containers to drop all Linux capabilities (VPol) -cel suffix avoids name collision with the CPol during migration
celPoliciesBeta.require-drop-all-capabilities-cel.validationFailureAction📜
Type: string
""
Description: Empty string falls through to the global validationFailureAction
celPoliciesBeta.require-istio-on-namespaces-cel📜
Type: object
enabled: false
validationFailureAction: ''
Description: Require Istio sidecar injection label on namespaces (VPol) -cel suffix avoids name collision with the CPol during migration
celPoliciesBeta.require-istio-on-namespaces-cel.validationFailureAction📜
Type: string
""
Description: Empty string falls through to the global validationFailureAction
celPoliciesBeta.require-labels-cel📜
Type: object
enabled: false
parameters:
require: []
validationFailureAction: ''
Description: Require specified labels on all pods (VPol) -cel suffix avoids name collision with the CPol during migration
celPoliciesBeta.require-labels-cel.validationFailureAction📜
Type: string
""
Description: Empty string falls through to the global validationFailureAction
celPoliciesBeta.require-labels-cel.parameters.require📜
Type: list
[]
Description: Labels required on all pods. Each entry has a key (RE2 regex) and an optional value (RE2 regex). Both are auto-anchored with ^ and $. If value is omitted, any non-empty value is accepted.
celPoliciesBeta.require-memory-limit-cel📜
Type: object
enabled: false
parameters:
maxMemory: 64Gi
validationFailureAction: ''
Description: Require containers have memory limits defined (VPol) -cel suffix avoids name collision with the CPol during migration
celPoliciesBeta.require-memory-limit-cel.validationFailureAction📜
Type: string
""
Description: Empty string falls through to the global validationFailureAction
celPoliciesBeta.require-memory-limit-cel.parameters.maxMemory📜
Type: string
"64Gi"
Description: Upper bound on memory limits. Rejects containers requesting more than this. Default “64Gi” approximates the CPol’s “<64Gi” ceiling (VPol uses <=, so exactly 64Gi is allowed unlike the CPol’s strict <64Gi). Not a tight limit. Set to empty string to disable the upper-bound check.
celPoliciesBeta.require-non-root-group-cel📜
Type: object
enabled: false
validationFailureAction: ''
Description: Require containers run with non-root group IDs (VPol) -cel suffix avoids name collision with the CPol during migration
celPoliciesBeta.require-non-root-group-cel.validationFailureAction📜
Type: string
""
Description: Empty string falls through to the global validationFailureAction
celPoliciesBeta.require-non-root-user-cel📜
Type: object
enabled: false
validationFailureAction: ''
Description: Require containers run as non-root user (VPol) -cel suffix avoids name collision with the CPol during migration
celPoliciesBeta.require-non-root-user-cel.validationFailureAction📜
Type: string
""
Description: Empty string falls through to the global validationFailureAction
celPoliciesBeta.require-probes-cel📜
Type: object
autogenControllers: DaemonSet,Deployment,StatefulSet
enabled: false
parameters:
livenessProbe: true
readinessProbe: true
startupProbe: false
validationFailureAction: ''
Description: Require liveness/readiness probes on containers (VPol) -cel suffix avoids name collision with the CPol during migration
celPoliciesBeta.require-probes-cel.validationFailureAction📜
Type: string
""
Description: Empty string falls through to the global validationFailureAction
celPoliciesBeta.require-probes-cel.parameters.readinessProbe📜
Type: bool
true
Description: Require readinessProbe on all containers
celPoliciesBeta.require-probes-cel.parameters.livenessProbe📜
Type: bool
true
Description: Require livenessProbe on all containers
celPoliciesBeta.require-probes-cel.parameters.startupProbe📜
Type: bool
false
Description: Require startupProbe on all containers
celPoliciesBeta.require-ro-rootfs-cel📜
Type: object
enabled: false
validationFailureAction: ''
Description: Require containers run with a read-only root filesystem (VPol) -cel suffix avoids name collision with the CPol during migration
celPoliciesBeta.require-ro-rootfs-cel.validationFailureAction📜
Type: string
""
Description: Empty string falls through to the global validationFailureAction
celPoliciesBeta.restrict-external-ips-cel📜
Type: object
enabled: false
parameters:
allow: []
validationFailureAction: ''
Description: Restrict services with External IPs to an allow-list (VPol) -cel suffix avoids name collision with the CPol during migration
celPoliciesBeta.restrict-external-ips-cel.validationFailureAction📜
Type: string
""
Description: Empty string falls through to the global validationFailureAction
celPoliciesBeta.restrict-external-ips-cel.parameters.allow📜
Type: list
[]
Description: List of RE2 regex patterns (auto-anchored ^…$). Example: “192\.168\.0\..+” to allow any IP in 192.168.0.0/24.
celPoliciesBeta.restrict-external-names-cel📜
Type: object
enabled: false
parameters:
allow: []
validationFailureAction: ''
Description: Restrict services with External Names to an allow-list (VPol) -cel suffix avoids name collision with the CPol during migration
celPoliciesBeta.restrict-external-names-cel.validationFailureAction📜
Type: string
""
Description: Empty string falls through to the global validationFailureAction
celPoliciesBeta.restrict-external-names-cel.parameters.allow📜
Type: list
[]
Description: List of allowed external names as RE2 regex patterns (auto-anchored ^…$). Plain strings remain exact matches. Empty, missing, null, or empty-string input denies all ExternalName Services.
celPoliciesBeta.restrict-image-registries-cel📜
Type: object
enabled: false
parameters:
allow: []
validationFailureAction: ''
Description: Restricts container images to registries in the specified list (VPol) -cel suffix avoids name collision with the CPol during migration
celPoliciesBeta.restrict-image-registries-cel.validationFailureAction📜
Type: string
""
Description: Empty string falls through to the global validationFailureAction
celPoliciesBeta.restrict-image-registries-cel.parameters.allow📜
Type: list
[]
Description: List of allowed registries that images may use
celPoliciesBeta.restrict-volume-types-cel📜
Type: object
enabled: false
parameters:
allow:
- configMap
- csi
- downwardAPI
- emptyDir
- ephemeral
- persistentVolumeClaim
- projected
- secret
validationFailureAction: ''
Description: Restrict volume types to the specified list (VPol) -cel suffix avoids name collision with the CPol during migration
celPoliciesBeta.restrict-volume-types-cel.validationFailureAction📜
Type: string
""
Description: Empty string falls through to the global validationFailureAction
celPoliciesBeta.restrict-volume-types-cel.parameters.allow📜
Type: list
- configMap
- csi
- downwardAPI
- emptyDir
- ephemeral
- persistentVolumeClaim
- projected
- secret
Description: List of allowed Volume types. Valid values are the volume types listed here: https://kubernetes.io/docs/concepts/storage/volumes/#volume-types Defaults pulled from https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
celPoliciesBeta.update-automountserviceaccounttokens-cel📜
Type: object
autogenControllers: Deployment,StatefulSet
enabled: false
Description: names are interpreted as anchored RE2 regexes.
celPoliciesBeta.update-automountserviceaccounttokens-cel.autogenControllers📜
Type: string
"Deployment,StatefulSet"
Description: Pinned to the kinds covered by the legacy ClusterPolicy. Override only if you also want DaemonSet / Job / CronJob template coverage.
additionalPolicies📜
Type: object
samplePolicy:
annotations:
policies.kyverno.io/category: Examples
policies.kyverno.io/description: This sample policy blocks pods from deploying
into the 'default' namespace.
policies.kyverno.io/severity: low
policies.kyverno.io/subject: Pod
policies.kyverno.io/title: Sample Policy
enabled: false
kind: ClusterPolicy
namespace: ''
spec:
rules:
- match:
any:
- resources:
kinds:
- Pods
name: sample-rule
validate:
message: Using 'default' namespace is not allowed.
pattern:
metadata:
namespace: '!default'
Description: Adds custom policies. See https://kyverno.io/docs/introduction/quick-start/ .
additionalPolicies.samplePolicy📜
Type: object
annotations:
policies.kyverno.io/category: Examples
policies.kyverno.io/description: This sample policy blocks pods from deploying into
the 'default' namespace.
policies.kyverno.io/severity: low
policies.kyverno.io/subject: Pod
policies.kyverno.io/title: Sample Policy
enabled: false
kind: ClusterPolicy
namespace: ''
spec:
rules:
- match:
any:
- resources:
kinds:
- Pods
name: sample-rule
validate:
message: Using 'default' namespace is not allowed.
pattern:
metadata:
namespace: '!default'
Description: Name of the policy. Addtional policies can be added by adding a key.
additionalPolicies.samplePolicy.enabled📜
Type: bool
false
Description: Controls policy deployment
additionalPolicies.samplePolicy.kind📜
Type: string
"ClusterPolicy"
Description: Kind of policy. Currently, “ClusterPolicy” and “Policy” are supported.
additionalPolicies.samplePolicy.namespace📜
Type: string
""
Description: If kind is “Policy”, which namespace to target. The namespace must already exist.
additionalPolicies.samplePolicy.annotations📜
Type: object
policies.kyverno.io/category: Examples
policies.kyverno.io/description: This sample policy blocks pods from deploying into
the 'default' namespace.
policies.kyverno.io/severity: low
policies.kyverno.io/subject: Pod
policies.kyverno.io/title: Sample Policy
Description: Policy annotations to add
additionalPolicies.samplePolicy.annotations.”policies.kyverno.io/title”📜
Type: string
"Sample Policy"
Description: Human readable name of policy
additionalPolicies.samplePolicy.annotations.”policies.kyverno.io/category”📜
Type: string
"Examples"
Description: Category of policy. Arbitrary.
additionalPolicies.samplePolicy.annotations.”policies.kyverno.io/severity”📜
Type: string
"low"
Description: Severity of policy if a violation occurs. Choose “critical”, “high”, “medium”, “low”.
additionalPolicies.samplePolicy.annotations.”policies.kyverno.io/subject”📜
Type: string
"Pod"
Description: Type of resource policy applies to (e.g. Pod, Service, Namespace)
additionalPolicies.samplePolicy.annotations.”policies.kyverno.io/description”📜
Type: string
"This sample policy blocks pods from deploying into the 'default' namespace."
Description: Description of what the policy does, why it is important, and what items are allowed or unallowed.
additionalPolicies.samplePolicy.spec📜
Type: object
rules:
- match:
any:
- resources:
kinds:
- Pods
name: sample-rule
validate:
message: Using 'default' namespace is not allowed.
pattern:
metadata:
namespace: '!default'
Description: Policy specification. See kubectl explain clusterpolicies.spec
additionalPolicies.samplePolicy.spec.rules📜
Type: list
- match:
any:
- resources:
kinds:
- Pods
name: sample-rule
validate:
message: Using 'default' namespace is not allowed.
pattern:
metadata:
namespace: '!default'
Description: Policy rules. At least one is required
additionalPolicyExceptions📜
Type: string
nil
Description: Adds additional policyExceptions. See https://kyverno.io/docs/policy-types/validating-policy/#exceptions
istio📜
Type: object
enabled: false
Description: BigBang Istio Toggle and Configuration
bbtests📜
Type: object
chainsawEnabled: false
enabled: false
imagePullSecret: private-registry
kyvernoCliEnabled: true
legacyEnabled: true
scripts:
additionalVolumeMounts:
- mountPath: /yaml
name: kyverno-policies-bbtest-manifests
- mountPath: /vpol
name: kyverno-policies-bbtest-vpol
- mountPath: /mpol
name: kyverno-policies-bbtest-mpol
- mountPath: /gpol
name: kyverno-policies-bbtest-gpol
- mountPath: /.kube/cache
name: kyverno-policies-bbtest-kube-cache
additionalVolumes:
- configMap:
name: kyverno-policies-bbtest-manifests
name: kyverno-policies-bbtest-manifests
- configMap:
name: kyverno-policies-bbtest-vpol
name: kyverno-policies-bbtest-vpol
- configMap:
name: kyverno-policies-bbtest-mpol
name: kyverno-policies-bbtest-mpol
- configMap:
name: kyverno-policies-bbtest-gpol
name: kyverno-policies-bbtest-gpol
- emptyDir: {}
name: kyverno-policies-bbtest-kube-cache
envs:
CHAINSAW_ENABLED: '{{ .Values.bbtests.chainsawEnabled }}'
CPOL_ACTIONS: '{{ $pairs := list }}{{ range $k, $v := .Values.policies }}{{ if
$v.enabled }}{{ $action := default (dig $k "validationFailureAction" "Audit"
$.Values.policies) $.Values.validationFailureAction }}{{ $pairs = append $pairs
(printf "%s=%s" $k $action) }}{{ end }}{{ end }}{{ join " " $pairs }}'
ENABLED_CPOLS: '{{ $p := list }}{{ range $k, $v := .Values.policies }}{{ if $v.enabled
}}{{ $p = append $p $k }}{{ end }}{{ end }}{{ join " " $p }}'
IMAGE_PULL_SECRET: '{{ .Values.bbtests.imagePullSecret }}'
KYVERNO_CLI_TESTS_ENABLED: '{{ .Values.bbtests.kyvernoCliEnabled }}'
LEGACY_TESTS_ENABLED: '{{ .Values.bbtests.legacyEnabled }}'
image: registry1.dso.mil/ironbank/big-bang/devops-tester:1.1
permissions:
apiGroups:
- ''
resources:
- configmaps
- namespaces
verbs:
- create
- delete
- list
- get
Description: Reserved values for Big Bang test automation
waitJob.enabled📜
Type: bool
true
waitJob.kind📜
Type: string
"ClusterRole"
waitJob.permissions.apiGroups[0]📜
Type: string
"kyverno.io"
waitJob.permissions.resources[0]📜
Type: string
"clusterpolicies"
waitJob.permissions.resources[1]📜
Type: string
"policies"