kyverno-reporter values.yaml📜
nameOverride📜
Type: string
""
Description: Override the chart name used for all resources
fullnameOverride📜
Type: string
"policy-reporter"
Description: Overwrite the fullname of all resources
namespaceOverride📜
Type: string
""
Description: Overwrite the namespace of all resources
plugin.trivy.enabled📜
Type: bool
false
plugin.trivy.serviceAccount.create📜
Type: bool
false
plugin.trivy.serviceAccount.automount📜
Type: bool
false
plugin.trivy.serviceAccount.annotations📜
Type: object
{}
plugin.kyverno.enabled📜
Type: bool
false
plugin.kyverno.serviceAccount.create📜
Type: bool
false
plugin.kyverno.serviceAccount.automount📜
Type: bool
false
plugin.kyverno.serviceAccount.annotations📜
Type: object
{}
monitoring.enabled📜
Type: bool
false
monitoring.serviceMonitor.enabled📜
Type: bool
false
monitoring.serviceMonitor.namespace📜
Type: string
""
monitoring.serviceMonitor.scheme📜
Type: string
"https"
monitoring.serviceMonitor.tlsConfig📜
Type: object
{}
monitoring.serviceMonitor.honorLabels📜
Type: bool
false
monitoring.serviceMonitor.scrapeTimeout📜
Type: string
""
monitoring.serviceMonitor.interval📜
Type: string
""
monitoring.serviceMonitor.labels📜
Type: object
{}
monitoring.serviceMonitor.namespaceSelector📜
Type: object
{}
monitoring.serviceMonitor.relabelings📜
Type: list
[]
monitoring.serviceMonitor.metricRelabelings📜
Type: list
[]
monitoring.kyverno.serviceMonitor.enabled📜
Type: bool
false
monitoring.kyverno.serviceMonitor.namespace📜
Type: string
""
monitoring.kyverno.serviceMonitor.scheme📜
Type: string
"https"
monitoring.kyverno.serviceMonitor.tlsConfig📜
Type: object
{}
monitoring.kyverno.serviceMonitor.honorLabels📜
Type: bool
false
monitoring.kyverno.serviceMonitor.scrapeTimeout📜
Type: string
""
monitoring.kyverno.serviceMonitor.interval📜
Type: string
""
monitoring.kyverno.serviceMonitor.labels📜
Type: object
{}
monitoring.kyverno.serviceMonitor.namespaceSelector📜
Type: object
{}
monitoring.kyverno.serviceMonitor.relabelings📜
Type: list
[]
monitoring.kyverno.serviceMonitor.metricRelabelings📜
Type: list
[]
ui.enabled📜
Type: bool
false
image.registry📜
Type: string
"registry1.dso.mil"
image.repository📜
Type: string
"ironbank/opensource/kyverno/policy-reporter"
image.pullPolicy📜
Type: string
"IfNotPresent"
image.tag📜
Type: string
"3.0.3"
Description: Image tag
imagePullSecrets📜
Type: list
[]
Description: Image pullSecrets
priorityClassName📜
Type: string
""
Description: Deployment priorityClassName
replicaCount📜
Type: int
1
Description: Deployment replica count
revisionHistoryLimit📜
Type: int
10
Description: The number of revisions to keep
updateStrategy📜
Type: object
{}
Description: Deployment strategy
port📜
Type: object
name: http
number: 8080
Description: Container port
annotations📜
Type: object
{}
Description: Key/value pairs that are attached to all resources.
rbac.enabled📜
Type: bool
true
Description: Create RBAC resources
serviceAccount.create📜
Type: bool
true
Description: Create ServiceAccount
serviceAccount.automount📜
Type: bool
true
Description: Enable ServiceAccount automount
serviceAccount.annotations📜
Type: object
{}
Description: Annotations for the ServiceAccount
serviceAccount.name📜
Type: string
""
Description: The ServiceAccount name
serviceAccount.automountServiceAccountToken📜
Type: bool
false
service.enabled📜
Type: bool
true
Description: Create Service
service.type📜
Type: string
"ClusterIP"
Description: Service type
service.port📜
Type: int
8080
Description: Service port
service.annotations📜
Type: object
{}
Description: Service annotations
service.labels📜
Type: object
{}
Description: Service labels
podSecurityContext📜
Type: object
fsGroup: 1234
Description: Security context for the pod
securityContext.runAsUser📜
Type: int
1234
securityContext.runAsGroup📜
Type: int
1234
securityContext.runAsNonRoot📜
Type: bool
true
securityContext.privileged📜
Type: bool
false
securityContext.allowPrivilegeEscalation📜
Type: bool
false
securityContext.readOnlyRootFilesystem📜
Type: bool
true
securityContext.capabilities.drop[0]📜
Type: string
"ALL"
securityContext.seccompProfile.type📜
Type: string
"RuntimeDefault"
podAnnotations📜
Type: object
{}
Description: Additional annotations to add to each pod
podLabels📜
Type: object
{}
Description: Additional labels to add to each pod
resources📜
Type: object
{}
Description: Resource constraints
networkPolicy.enabled📜
Type: bool
false
Description: Create NetworkPolicy
networkPolicy.egress📜
Type: list
- ports:
- port: 6443
protocol: TCP
to: null
Description: Egress rule to allowe Kubernetes API Server access
networkPolicy.ingress📜
Type: list
[]
ingress.enabled📜
Type: bool
false
Description: Create Ingress This ingress exposes the policy-reporter core app.
ingress.className📜
Type: string
""
Description: Ingress className
ingress.labels📜
Type: object
{}
Description: Labels for the Ingress
ingress.annotations📜
Type: object
{}
Description: Annotations for the Ingress
ingress.hosts📜
Type: string
nil
Description: Ingress host list
ingress.tls📜
Type: list
[]
Description: Ingress tls list
logging.server📜
Type: bool
false
Description: Enables server access logging
logging.encoding📜
Type: string
"console"
Description: Log encoding possible encodings are console and json
logging.logLevel📜
Type: int
0
Description: Log level default info
rest.enabled📜
Type: bool
false
Description: Enables the REST API
metrics.enabled📜
Type: bool
false
Description: Enables Prometheus Metrics
metrics.mode📜
Type: string
"detailed"
Description: Metric Mode allowes to customize labels Allowed values: detailed, simple, custom
metrics.customLabels📜
Type: list
[]
Description: List of used labels in custom mode Supported fields are: [“namespace”, “rule”, “policy”, “report” // PolicyReport name, “kind” // resource kind, “name” // resource name, “status”, “severity”, “category”, “source”]
metrics.filter📜
Type: object
{}
Description: Filter results to reduce cardinality
profiling.enabled📜
Type: bool
false
Description: Enable profiling with pprof
worker📜
Type: int
5
Description: Amount of queue workers for PolicyReport resource processing
reportFilter📜
Type: object
{}
Description: Filter PolicyReport resources to process
sourceConfig📜
Type: list
[]
Description: Customize source specific logic like result ID generation
sourceFilters[0].selector.source📜
Type: string
"kyverno"
Description: select PolicyReport by source
sourceFilters[0].uncontrolledOnly📜
Type: bool
true
Description: Filter out PolicyReports of controlled Pods and Jobs, only works for PolicyReport with scope resource
sourceFilters[0].disableClusterReports📜
Type: bool
false
Description: Filter out ClusterPolicyReports
sourceFilters[0].kinds📜
Type: object
exclude:
- ReplicaSet
Description: Filter out PolicyReports based on the scope resource kind
global.labels📜
Type: object
{}
Description: additional labels added on each resource
basicAuth.username📜
Type: string
""
Description: HTTP BasicAuth username
basicAuth.password📜
Type: string
""
Description: HTTP BasicAuth password
basicAuth.secretRef📜
Type: optional
""
Description: Secret reference to get username and/or password from
emailReports.clusterName📜
Type: optional
""
Description: - Displayed in the email report if configured
emailReports.titlePrefix📜
Type: string
"Report"
Description: Title prefix in the email subject
emailReports.resources📜
Type: object
{}
Description: Resource constraints for the created CronJobs
emailReports.smtp.secret📜
Type: optional
""
Description: Secret reference to provide the complete or partial SMTP configuration
emailReports.smtp.host📜
Type: string
""
Description: SMTP Server Host
emailReports.smtp.port📜
Type: int
465
Description: SMTP Server Port
emailReports.smtp.username📜
Type: string
""
Description: SMTP Username
emailReports.smtp.password📜
Type: string
""
Description: SMTP Password
emailReports.smtp.from📜
Type: string
""
Description: Displayed from email address
emailReports.smtp.encryption📜
Type: string
""
Description: SMTP Encryption Default is none, supports ssl/tls and starttls
emailReports.smtp.skipTLS📜
Type: bool
false
Description: Skip SMTP TLS verification
emailReports.smtp.certificate📜
Type: string
""
Description: SMTP Server Certificate file path
emailReports.summary.enabled📜
Type: bool
false
Description: Enable Summary E-Mail reports
emailReports.summary.schedule📜
Type: string
"0 8 * * *"
Description: CronJob schedule
emailReports.summary.activeDeadlineSeconds📜
Type: int
300
Description: CronJob activeDeadlineSeconds
emailReports.summary.backoffLimit📜
Type: int
3
Description: CronJob backoffLimit
emailReports.summary.ttlSecondsAfterFinished📜
Type: int
0
Description: CronJob ttlSecondsAfterFinished
emailReports.summary.restartPolicy📜
Type: string
"Never"
Description: CronJob restartPolicy
emailReports.summary.to📜
Type: list
[]
Description: List of receiver email addresses
emailReports.summary.filter📜
Type: optional
{}
Description: Report filter
emailReports.summary.channels📜
Type: optional
[]
Description: Channels can be used to to send only a subset of namespaces / sources to dedicated email addresses
emailReports.violations.enabled📜
Type: bool
false
Description: Enable Violation Summary E-Mail reports
emailReports.violations.schedule📜
Type: string
"0 8 * * *"
Description: CronJob schedule
emailReports.violations.activeDeadlineSeconds📜
Type: int
300
Description: CronJob activeDeadlineSeconds
emailReports.violations.backoffLimit📜
Type: int
3
Description: CronJob backoffLimit
emailReports.violations.ttlSecondsAfterFinished📜
Type: int
0
Description: CronJob ttlSecondsAfterFinished
emailReports.violations.restartPolicy📜
Type: string
"Never"
Description: CronJob restartPolicy
emailReports.violations.to📜
Type: list
[]
Description: List of receiver email addresses
emailReports.violations.filter📜
Type: optional
{}
Description: Report filter
emailReports.violations.channels📜
Type: optional
[]
Description: Channels can be used to to send only a subset of namespaces / sources to dedicated email addresses
existingTargetConfig.enabled📜
Type: bool
false
Description: Use an already existing configuration
existingTargetConfig.name📜
Type: string
""
Description: Name of the secret with the config
existingTargetConfig.subPath📜
Type: string
""
Description: SubPath within the secret (defaults to config.yaml)
target.loki.host📜
Type: string
""
Description: Host Address
target.loki.path📜
Type: string
""
Description: Loki API, defaults to “/loki/api/v1/push”
target.loki.certificate📜
Type: string
""
Description: Server Certificate file path Can be added under extraVolumes
target.loki.skipTLS📜
Type: bool
false
Description: Skip TLS verification
target.loki.secretRef📜
Type: string
""
Description: Read configuration from an already existing Secret
target.loki.mountedSecret📜
Type: string
""
Description: Mounted secret path by Secrets Controller, secret should be in json format
target.loki.minimumSeverity📜
Type: string
""
Description: Minimum severity: “” < info < low < medium < high < critical
target.loki.sources📜
Type: list
[]
Description: List of sources which should send
target.loki.skipExistingOnStartup📜
Type: bool
true
Description: Skip already existing PolicyReportResults on startup
target.loki.customFields📜
Type: object
{}
Description: Added as additional labels
target.loki.headers📜
Type: object
{}
Description: Additional HTTP Headers
target.loki.username📜
Type: string
""
Description: HTTP BasicAuth username
target.loki.password📜
Type: string
""
Description: HTTP BasicAuth password
target.loki.filter📜
Type: object
{}
Description: Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI
target.loki.channels📜
Type: list
[]
Description: List of channels to route results to different configurations
target.elasticsearch.host📜
Type: string
""
Description: Host address
target.elasticsearch.certificate📜
Type: string
""
Description: Server Certificate file path Can be added under extraVolumes
target.elasticsearch.skipTLS📜
Type: bool
false
Description: Skip TLS verification
target.elasticsearch.headers📜
Type: object
{}
Description: Additional HTTP Headers
target.elasticsearch.index📜
Type: string
"policy-reporter"
Description: Elasticsearch index (default: policy-reporter)
target.elasticsearch.rotation📜
Type: string
"daily"
Description: Elasticsearch index rotation and index suffix Possible values: daily, monthly, annually, none (default: daily)
target.elasticsearch.typelessApi📜
Type: bool
false
Description: Enables Elasticsearch typless API https://www.elastic.co/blog/moving-from-types-to-typeless-apis-in-elasticsearch-7-0 keeping as false for retrocompatibility.
target.elasticsearch.username📜
Type: string
""
Description: HTTP BasicAuth username
target.elasticsearch.password📜
Type: string
""
Description: HTTP BasicAuth password
target.elasticsearch.apiKey📜
Type: string
""
Description: Elasticsearch API Key for api key authentication
target.elasticsearch.secretRef📜
Type: string
""
Description: Read configuration from an already existing Secret
target.elasticsearch.mountedSecret📜
Type: string
""
Description: Mounted secret path by Secrets Controller, secret should be in json format
target.elasticsearch.minimumSeverity📜
Type: string
""
Description: Minimum severity: “” < info < low < medium < high < critical
target.elasticsearch.sources📜
Type: list
[]
Description: List of sources which should send
target.elasticsearch.skipExistingOnStartup📜
Type: bool
true
Description: Skip already existing PolicyReportResults on startup
target.elasticsearch.customFields📜
Type: object
{}
Description: Added as additional labels
target.elasticsearch.filter📜
Type: object
{}
Description: Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI
target.elasticsearch.channels📜
Type: list
[]
Description: List of channels to route results to different configurations
target.slack.webhook📜
Type: string
""
Description: Webhook Address
target.slack.channel📜
Type: string
""
Description: Slack Channel
target.slack.secretRef📜
Type: string
""
Description: Read configuration from an already existing Secret
target.slack.mountedSecret📜
Type: string
""
Description: Mounted secret path by Secrets Controller, secret should be in json format
target.slack.minimumSeverity📜
Type: string
""
Description: Minimum severity: “” < info < low < medium < high < critical
target.slack.sources📜
Type: list
[]
Description: List of sources which should send
target.slack.skipExistingOnStartup📜
Type: bool
true
Description: Skip already existing PolicyReportResults on startup
target.slack.customFields📜
Type: object
{}
Description: Added as additional labels
target.slack.filter📜
Type: object
{}
Description: Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI
target.slack.channels📜
Type: list
[]
Description: List of channels to route results to different configurations
target.discord.webhook📜
Type: string
""
Description: Webhook Address
target.discord.certificate📜
Type: string
""
Description: Server Certificate file path Can be added under extraVolumes
target.discord.skipTLS📜
Type: bool
false
Description: Skip TLS verification
target.discord.headers📜
Type: object
{}
Description: Additional HTTP Headers
target.discord.secretRef📜
Type: string
""
Description: Read configuration from an already existing Secret
target.discord.mountedSecret📜
Type: string
""
Description: Mounted secret path by Secrets Controller, secret should be in json format
target.discord.minimumSeverity📜
Type: string
""
Description: Minimum severity: “” < info < low < medium < high < critical
target.discord.sources📜
Type: list
[]
Description: List of sources which should send
target.discord.skipExistingOnStartup📜
Type: bool
true
Description: Skip already existing PolicyReportResults on startup
target.discord.customFields📜
Type: object
{}
Description: Added as additional labels
target.discord.filter📜
Type: object
{}
Description: Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI
target.discord.channels📜
Type: list
[]
Description: List of channels to route results to different configurations
target.teams.webhook📜
Type: string
""
Description: Webhook Address
target.teams.certificate📜
Type: string
""
Description: Server Certificate file path Can be added under extraVolumes
target.teams.skipTLS📜
Type: bool
false
Description: Skip TLS verification
target.teams.headers📜
Type: object
{}
Description: Additional HTTP Headers
target.teams.secretRef📜
Type: string
""
Description: Read configuration from an already existing Secret
target.teams.mountedSecret📜
Type: string
""
Description: Mounted secret path by Secrets Controller, secret should be in json format
target.teams.minimumSeverity📜
Type: string
""
Description: Minimum severity: “” < info < low < medium < high < critical
target.teams.sources📜
Type: list
[]
Description: List of sources which should send
target.teams.skipExistingOnStartup📜
Type: bool
true
Description: Skip already existing PolicyReportResults on startup
target.teams.customFields📜
Type: object
{}
Description: Added as additional labels
target.teams.filter📜
Type: object
{}
Description: Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI
target.teams.channels📜
Type: list
[]
Description: List of channels to route results to different configurations
target.webhook.webhook📜
Type: string
""
Description: Webhook Address
target.webhook.certificate📜
Type: string
""
Description: Server Certificate file path Can be added under extraVolumes
target.webhook.skipTLS📜
Type: bool
false
Description: Skip TLS verification
target.webhook.headers📜
Type: object
{}
Description: Additional HTTP Headers
target.webhook.secretRef📜
Type: string
""
Description: Read configuration from an already existing Secret
target.webhook.mountedSecret📜
Type: string
""
Description: Mounted secret path by Secrets Controller, secret should be in json format
target.webhook.minimumSeverity📜
Type: string
""
Description: Minimum severity: “” < info < low < medium < high < critical
target.webhook.sources📜
Type: list
[]
Description: List of sources which should send
target.webhook.skipExistingOnStartup📜
Type: bool
true
Description: Skip already existing PolicyReportResults on startup
target.webhook.customFields📜
Type: object
{}
Description: Added as additional labels
target.webhook.filter📜
Type: object
{}
Description: Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI
target.webhook.channels📜
Type: list
[]
Description: List of channels to route results to different configurations
target.telegram.token📜
Type: string
""
Description: Telegram bot token
target.telegram.chatId📜
Type: string
""
Description: Telegram chat id
target.telegram.host📜
Type: optional
""
Description: Telegram proxy host
target.telegram.certificate📜
Type: string
""
Description: Server Certificate file path Can be added under extraVolumes
target.telegram.skipTLS📜
Type: bool
false
Description: Skip TLS verification
target.telegram.headers📜
Type: object
{}
Description: Additional HTTP Headers
target.telegram.secretRef📜
Type: string
""
Description: Read configuration from an already existing Secret
target.telegram.mountedSecret📜
Type: string
""
Description: Mounted secret path by Secrets Controller, secret should be in json format
target.telegram.minimumSeverity📜
Type: string
""
Description: Minimum severity: “” < info < low < medium < high < critical
target.telegram.sources📜
Type: list
[]
Description: List of sources which should send
target.telegram.skipExistingOnStartup📜
Type: bool
true
Description: Skip already existing PolicyReportResults on startup
target.telegram.customFields📜
Type: object
{}
Description: Added as additional labels
target.telegram.filter📜
Type: object
{}
Description: Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI
target.telegram.channels📜
Type: list
[]
Description: List of channels to route results to different configurations
target.googleChat.webhook📜
Type: string
""
Description: Webhook Address
target.googleChat.certificate📜
Type: string
""
Description: Server Certificate file path Can be added under extraVolumes
target.googleChat.skipTLS📜
Type: bool
false
Description: Skip TLS verification
target.googleChat.headers📜
Type: object
{}
Description: Additional HTTP Headers
target.googleChat.secretRef📜
Type: string
""
Description: Read configuration from an already existing Secret
target.googleChat.mountedSecret📜
Type: string
""
Description: Mounted secret path by Secrets Controller, secret should be in json format
target.googleChat.minimumSeverity📜
Type: string
""
Description: Minimum severity: “” < info < low < medium < high < critical
target.googleChat.sources📜
Type: list
[]
Description: List of sources which should send
target.googleChat.skipExistingOnStartup📜
Type: bool
true
Description: Skip already existing PolicyReportResults on startup
target.googleChat.customFields📜
Type: object
{}
Description: Added as additional labels
target.googleChat.filter📜
Type: object
{}
Description: Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI
target.googleChat.channels📜
Type: list
[]
Description: List of channels to route results to different configurations
target.s3.accessKeyId📜
Type: optional
""
Description: S3 Access key
target.s3.secretAccessKey📜
Type: optional
""
Description: S3 SecretAccess key
target.s3.region📜
Type: optional
""
Description: S3 Storage region
target.s3.endpoint📜
Type: optional
""
Description: S3 Storage endpoint
target.s3.bucket📜
Type: required
""
Description: S3 Storage bucket name
target.s3.bucketKeyEnabled📜
Type: bool
false
Description: S3 Storage to use an S3 Bucket Key for object encryption with SSE-KMS
target.s3.kmsKeyId📜
Type: string
""
Description: S3 Storage KMS Key ID for object encryption with SSE-KMS
target.s3.serverSideEncryption📜
Type: string
""
Description: S3 Storage server-side encryption algorithm used when storing this object in Amazon S3, AES256, aws:kms
target.s3.pathStyle📜
Type: bool
false
Description: S3 Storage, force path style configuration
target.s3.prefix📜
Type: string
""
Description: Used prefix, keys will have format: s3://$bucket/$prefix/YYYY-MM-DD/YYYY-MM-DDTHH:mm:ss.s+01:00.json
target.s3.secretRef📜
Type: string
""
Description: Read configuration from an already existing Secret
target.s3.mountedSecret📜
Type: string
""
Description: Mounted secret path by Secrets Controller, secret should be in json format
target.s3.minimumSeverity📜
Type: string
""
Description: Minimum severity: “” < info < low < medium < high < critical
target.s3.sources📜
Type: list
[]
Description: List of sources which should send
target.s3.skipExistingOnStartup📜
Type: bool
true
Description: Skip already existing PolicyReportResults on startup
target.s3.customFields📜
Type: object
{}
Description: Added as additional labels
target.s3.filter📜
Type: object
{}
Description: Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI
target.s3.channels📜
Type: list
[]
Description: List of channels to route results to different configurations
target.kinesis.accessKeyId📜
Type: optional
""
Description: Access key
target.kinesis.secretAccessKey📜
Type: optional
""
Description: SecretAccess key
target.kinesis.region📜
Type: optional
""
Description: Region
target.kinesis.endpoint📜
Type: optional
""
Description: Endpoint
target.kinesis.streamName📜
Type: required
""
Description: StreamName
target.kinesis.secretRef📜
Type: string
""
Description: Read configuration from an already existing Secret
target.kinesis.mountedSecret📜
Type: string
""
Description: Mounted secret path by Secrets Controller, secret should be in json format
target.kinesis.minimumSeverity📜
Type: string
""
Description: Minimum severity: “” < info < low < medium < high < critical
target.kinesis.sources📜
Type: list
[]
Description: List of sources which should send
target.kinesis.skipExistingOnStartup📜
Type: bool
true
Description: Skip already existing PolicyReportResults on startup
target.kinesis.customFields📜
Type: object
{}
Description: Added as additional labels
target.kinesis.filter📜
Type: object
{}
Description: Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI
target.kinesis.channels📜
Type: list
[]
Description: List of channels to route results to different configurations
target.securityHub.accessKeyId📜
Type: optional
""
Description: Access key
target.securityHub.secretAccessKey📜
Type: optional
""
Description: SecretAccess key
target.securityHub.region📜
Type: optional
""
Description: Region
target.securityHub.endpoint📜
Type: optional
""
Description: Endpoint
target.securityHub.accountId📜
Type: required
""
Description: AccountId
target.securityHub.productName📜
Type: optional
""
Description: Used product name, defaults to “Polilcy Reporter”
target.securityHub.companyName📜
Type: optional
""
Description: Used company name, defaults to “Kyverno”
target.securityHub.synchronize📜
Type: bool
true
Description: Enable cleanup listener for SecurityHub
target.securityHub.delayInSeconds📜
Type: int
2
Description: Delay between AWS GetFindings API calls, to avoid hitting the API RequestLimit
target.securityHub.secretRef📜
Type: string
""
Description: Read configuration from an already existing Secret
target.securityHub.mountedSecret📜
Type: string
""
Description: Mounted secret path by Secrets Controller, secret should be in json format
target.securityHub.minimumSeverity📜
Type: string
""
Description: Minimum severity: “” < info < low < medium < high < critical
target.securityHub.sources📜
Type: list
[]
Description: List of sources which should send
target.securityHub.skipExistingOnStartup📜
Type: bool
true
Description: Skip already existing PolicyReportResults on startup
target.securityHub.customFields📜
Type: object
{}
Description: Added as additional labels
target.securityHub.filter📜
Type: object
{}
Description: Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI
target.securityHub.channels📜
Type: list
[]
Description: List of channels to route results to different configurations
target.gcs.credentials📜
Type: optional
""
Description: GCS (Google Cloud Storage) Service Accout Credentials
target.gcs.bucket📜
Type: required
""
Description: GCS Bucket
target.gcs.secretRef📜
Type: string
""
Description: Read configuration from an already existing Secret
target.gcs.mountedSecret📜
Type: string
""
Description: Mounted secret path by Secrets Controller, secret should be in json format
target.gcs.minimumSeverity📜
Type: string
""
Description: Minimum severity: “” < info < low < medium < high < critical
target.gcs.sources📜
Type: list
[]
Description: List of sources which should send
target.gcs.skipExistingOnStartup📜
Type: bool
true
Description: Skip already existing PolicyReportResults on startup
target.gcs.customFields📜
Type: object
{}
Description: Added as additional labels
target.gcs.filter📜
Type: object
{}
Description: Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI
target.gcs.channels📜
Type: list
[]
Description: List of channels to route results to different configurations
leaderElection.releaseOnCancel📜
Type: bool
true
leaderElection.leaseDuration📜
Type: int
15
leaderElection.renewDeadline📜
Type: int
10
leaderElection.retryPeriod📜
Type: int
2
redis.enabled📜
Type: bool
false
Description: Enables Redis as external result cache, uses in memory cache by default
redis.address📜
Type: string
""
Description: Redis host
redis.database📜
Type: int
0
Description: Redis database
redis.prefix📜
Type: string
"policy-reporter"
Description: Redis key prefix
redis.username📜
Type: optional
""
Description: Username
redis.password📜
Type: optional
""
Description: Password
database.type📜
Type: string
""
Description: Use an external Database, supported: mysql, postgres, mariadb
database.database📜
Type: string
""
Description: Database
database.username📜
Type: string
""
Description: Username
database.password📜
Type: string
""
Description: Password
database.host📜
Type: string
""
Description: Host Address
database.enableSSL📜
Type: bool
false
Description: Enables SSL
database.dsn📜
Type: string
""
Description: Instead of configure the individual values you can also provide an DSN string example postgres: postgres://postgres:password@localhost:5432/postgres?sslmode=disable example mysql: root:password@tcp(localhost:3306)/test?tls=false
database.secretRef📜
Type: string
""
Description: Read configuration from an existing Secret supported fields: username, password, host, dsn, database
database.mountedSecret📜
Type: string
""
podDisruptionBudget.minAvailable📜
Type: int
1
Description: Configures the minimum available pods for policy-reporter disruptions. Cannot be used if maxUnavailable is set.
podDisruptionBudget.maxUnavailable📜
Type: string
nil
Description: Configures the maximum unavailable pods for policy-reporter disruptions. Cannot be used if minAvailable is set.
nodeSelector📜
Type: object
{}
Description: Node labels for pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/
tolerations📜
Type: list
[]
Description: Tolerations for pod assignment ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
affinity📜
Type: object
{}
Description: Anti-affinity to disallow deploying client and master nodes on the same worker node
topologySpreadConstraints📜
Type: list
[]
Description: Topology Spread Constraints to better spread pods
livenessProbe📜
Type: object
httpGet:
path: /ready
port: http
Description: Deployment livenessProbe for policy-reporter
readinessProbe📜
Type: object
httpGet:
path: /healthz
port: http
Description: Deployment readinessProbe for policy-reporter
sqliteVolume📜
Type: object
{}
envVars📜
Type: list
[]
Description: Allow additional env variables to be added
tmpVolume📜
Type: object
{}
Description: Allow custom configuration of the /tmp volume
networkPolicies.enabled📜
Type: bool
false
networkPolicies.controlPlaneCidr📜
Type: string
"0.0.0.0/0"
networkPolicies.additionalPolicies📜
Type: list
[]
extraVolumes.volumeMounts📜
Type: list
[]
openshift📜
Type: bool
false
istio.enabled📜
Type: bool
false
istio.mtls.mode📜
Type: string
"STRICT"
istio.hardened.enabled📜
Type: bool
false
istio.hardened.outboundTrafficPolicyMode📜
Type: string
"REGISTRY_ONLY"
istio.hardened.customServiceEntries📜
Type: list
[]
bbtests.enabled📜
Type: bool
false
bbtests.cypress.artifacts📜
Type: bool
true
bbtests.cypress.envs.cypress_grafana_url📜
Type: string
"http://grafana.monitoring.svc.cluster.local"
bbtests.cypress.envs.cypress_prometheus_url📜
Type: string
"http://monitoring-kube-prometheus-prometheus.monitoring.svc.cluster.local:9090"
bbtests.cypress.envs.cypress_grafana_user📜
Type: string
"admin"
bbtests.cypress.envs.cypress_grafana_pass📜
Type: string
"prom-operator"
bbtests.cypress.envs.cypress_reporter_ns📜
Type: string
"kyverno-reporter"
bbtests.scripts.image📜
Type: string
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.11"
bbtests.scripts.envs.KYVERNO_REPORTER_URL📜
Type: string
"http://policy-reporter.kyverno-reporter.svc:8080"
bbtests.volumes📜
Type: list
[]