kyverno values.yaml📜
global.image.registry📜
Type: string
"registry1.dso.mil"
Description: Global value that allows to set a single image registry across all deployments. When set, it will override any values set under .image.registry across the chart.
global.imagePullSecrets[0].name📜
Type: string
"private-registry"
global.resyncPeriod📜
Type: string
"15m"
Description: Resync period for informers
global.caCertificates.data📜
Type: string
nil
Description: Global CA certificates to use with Kyverno deployments This value is expected to be one large string of CA certificates Individual controller values will override this global value
global.caCertificates.volume📜
Type: object
{}
Description: Global value to set single volume to be mounted for CA certificates for all deployments. Not used when .Values.global.caCertificates.data is defined Individual controller values will override this global value
global.extraEnvVars📜
Type: list
[]
Description: Additional container environment variables to apply to all containers and init containers
global.nodeSelector📜
Type: object
{}
Description: Global node labels for pod assignment. Non-global values will override the global value.
global.tolerations📜
Type: list
[]
Description: Global List of node taints to tolerate. Non-global values will override the global value.
nameOverride📜
Type: string
nil
Description: Override the name of the chart
fullnameOverride📜
Type: string
nil
Description: Override the expanded name of the chart
namespaceOverride📜
Type: string
nil
Description: Override the namespace the chart deploys to
upgrade.fromV2📜
Type: bool
true
Description: Upgrading from v2 to v3 is not allowed by default, set this to true once changes have been reviewed.
apiVersionOverride.podDisruptionBudget📜
Type: string
"policy/v1"
Description: Override api version used to create PodDisruptionBudget`` resources. When not specified the chart will check ifpolicy/v1/PodDisruptionBudget` is available to determine the api version automatically.
crds.install📜
Type: bool
true
Description: Whether to have Helm install the Kyverno CRDs, if the CRDs are not installed by Helm, they must be added before policies can be created
crds.groups.kyverno📜
Type: object
cleanuppolicies: true
clustercleanuppolicies: true
clusterpolicies: true
globalcontextentries: true
policies: true
policyexceptions: true
updaterequests: true
Description: Install CRDs in group kyverno.io
crds.groups.reports📜
Type: object
clusterephemeralreports: true
ephemeralreports: true
Description: Install CRDs in group reports.kyverno.io
crds.groups.wgpolicyk8s📜
Type: object
clusterpolicyreports: true
policyreports: true
Description: Install CRDs in group wgpolicyk8s.io
crds.annotations📜
Type: object
{}
Description: Additional CRDs annotations
crds.customLabels📜
Type: object
{}
Description: Additional CRDs labels
crds.migration.enabled📜
Type: bool
true
Description: Enable CRDs migration using helm post upgrade hook
crds.migration.resources📜
Type: list
- cleanuppolicies.kyverno.io
- clustercleanuppolicies.kyverno.io
- clusterpolicies.kyverno.io
- globalcontextentries.kyverno.io
- policies.kyverno.io
- policyexceptions.kyverno.io
- updaterequests.kyverno.io
Description: Resources to migrate
crds.migration.image.registry📜
Type: string
nil
Description: Image registry
crds.migration.image.defaultRegistry📜
Type: string
"registry1.dso.mil"
crds.migration.image.repository📜
Type: string
"ironbank/opensource/kyverno/kyvernocli"
Description: Image repository
crds.migration.image.tag📜
Type: string
"v1.13.4"
Description: Image tag Defaults to appVersion in Chart.yaml if omitted
crds.migration.image.pullPolicy📜
Type: string
nil
Description: Image pull policy
crds.migration.imagePullSecrets[0].name📜
Type: string
"private-registry"
crds.podSecurityContext📜
Type: object
nodeAffinity: {}
nodeSelector: {}
podAffinity: {}
podAnnotations: {}
podAntiAffinity: {}
podLabels: {}
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 65534
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault
tolerations: []
Description: Security context for the pod
crds.podSecurityContext.nodeSelector📜
Type: object
{}
Description: Node labels for pod assignment
crds.podSecurityContext.tolerations📜
Type: list
[]
Description: List of node taints to tolerate
crds.podSecurityContext.podAntiAffinity📜
Type: object
{}
Description: Pod anti affinity constraints.
crds.podSecurityContext.podAffinity📜
Type: object
{}
Description: Pod affinity constraints.
crds.podSecurityContext.podLabels📜
Type: object
{}
Description: Pod labels.
crds.podSecurityContext.podAnnotations📜
Type: object
{}
Description: Pod annotations.
crds.podSecurityContext.nodeAffinity📜
Type: object
{}
Description: Node affinity constraints.
crds.podSecurityContext.securityContext📜
Type: object
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 65534
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault
Description: Security context for the hook containers
config.create📜
Type: bool
true
Description: Create the configmap.
config.preserve📜
Type: bool
true
Description: Preserve the configmap settings during upgrade.
config.name📜
Type: string
nil
Description: The configmap name (required if create is false).
config.annotations📜
Type: object
{}
Description: Additional annotations to add to the configmap.
config.enableDefaultRegistryMutation📜
Type: bool
true
Description: Enable registry mutation for container images. Enabled by default.
config.defaultRegistry📜
Type: string
"registry1.dso.mil"
Description: The registry hostname used for the image mutation.
config.excludeGroups📜
Type: list
- system:nodes
Description: Exclude groups
config.excludeUsernames📜
Type: list
[]
Description: Exclude usernames
config.excludeRoles📜
Type: list
[]
Description: Exclude roles
config.excludeClusterRoles📜
Type: list
[]
Description: Exclude roles
config.generateSuccessEvents📜
Type: bool
false
Description: Generate success events.
config.updateRequestThreshold📜
Type: int
1000
Description: Sets the threshold for the total number of UpdateRequests generated for mutateExisitng and generate policies.
config.webhooks📜
Type: object
namespaceSelector:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: NotIn
values:
- kube-system
Description: Defines the namespaceSelector/objectSelector in the webhook configurations. The Kyverno namespace is excluded if excludeKyvernoNamespace is true (default)
config.webhookAnnotations📜
Type: object
admissions.enforcer/disabled: 'true'
Description: Defines annotations to set on webhook configurations.
config.webhookLabels📜
Type: object
{}
Description: Defines labels to set on webhook configurations.
config.matchConditions📜
Type: list
[]
Description: Defines match conditions to set on webhook configurations (requires Kubernetes 1.27+).
config.excludeKyvernoNamespace📜
Type: bool
true
Description: Exclude Kyverno namespace Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters
config.resourceFiltersExcludeNamespaces📜
Type: list
[]
Description: resourceFilter namespace exclude Namespaces to exclude from the default resourceFilters
config.resourceFiltersExclude📜
Type: list
[]
Description: resourceFilters exclude list Items to exclude from config.resourceFilters
config.resourceFiltersIncludeNamespaces📜
Type: list
[]
Description: resourceFilter namespace include Namespaces to include to the default resourceFilters
config.resourceFiltersInclude📜
Type: list
[]
Description: resourceFilters include list Items to include to config.resourceFilters
metricsConfig.create📜
Type: bool
true
Description: Create the configmap.
metricsConfig.name📜
Type: string
nil
Description: The configmap name (required if create is false).
metricsConfig.annotations📜
Type: object
{}
Description: Additional annotations to add to the configmap.
metricsConfig.namespaces.include📜
Type: list
[]
Description: List of namespaces to capture metrics for.
metricsConfig.namespaces.exclude📜
Type: list
[]
Description: list of namespaces to NOT capture metrics for.
metricsConfig.metricsRefreshInterval📜
Type: string
nil
Description: Rate at which metrics should reset so as to clean up the memory footprint of kyverno metrics, if you might be expecting high memory footprint of Kyverno’s metrics. Default: 0, no refresh of metrics. WARNING: This flag is not working since Kyverno 1.8.0
metricsConfig.bucketBoundaries📜
Type: list
- 0.005
- 0.01
- 0.025
- 0.05
- 0.1
- 0.25
- 0.5
- 1
- 2.5
- 5
- 10
- 15
- 20
- 25
- 30
Description: Configures the bucket boundaries for all Histogram metrics, changing this configuration requires restart of the kyverno admission controller
metricsConfig.metricsExposure.kyverno_policy_execution_duration_seconds.disabledLabelDimensions[0]📜
Type: string
"resource_namespace"
metricsConfig.metricsExposure.kyverno_policy_execution_duration_seconds.disabledLabelDimensions[1]📜
Type: string
"resource_request_operation"
metricsConfig.metricsExposure.kyverno_admission_review_duration_seconds.disabledLabelDimensions[0]📜
Type: string
"resource_namespace"
metricsConfig.metricsExposure.kyverno_policy_rule_info_total.disabledLabelDimensions[0]📜
Type: string
"resource_namespace"
metricsConfig.metricsExposure.kyverno_policy_rule_info_total.disabledLabelDimensions[1]📜
Type: string
"policy_namespace"
metricsConfig.metricsExposure.kyverno_policy_results_total.disabledLabelDimensions[0]📜
Type: string
"resource_namespace"
metricsConfig.metricsExposure.kyverno_policy_results_total.disabledLabelDimensions[1]📜
Type: string
"policy_namespace"
metricsConfig.metricsExposure.kyverno_admission_requests_total.disabledLabelDimensions[0]📜
Type: string
"resource_namespace"
metricsConfig.metricsExposure.kyverno_cleanup_controller_deletedobjects_total.disabledLabelDimensions[0]📜
Type: string
"resource_namespace"
metricsConfig.metricsExposure.kyverno_cleanup_controller_deletedobjects_total.disabledLabelDimensions[1]📜
Type: string
"policy_namespace"
imagePullSecrets📜
Type: object
{}
Description: Image pull secrets for image verification policies, this will define the --imagePullSecrets argument
existingImagePullSecrets📜
Type: list
- private-registry
Description: Existing Image pull secrets for image verification policies, this will define the --imagePullSecrets argument
test.sleep📜
Type: int
20
Description: Sleep time before running test
test.image.registry📜
Type: string
"registry1.dso.mil"
Description: Image registry
test.image.repository📜
Type: string
"ironbank/redhat/ubi/ubi9-minimal"
Description: Image repository
test.image.tag📜
Type: string
"9.5"
Description: Image tag Defaults to latest if omitted
test.image.pullPolicy📜
Type: string
nil
Description: Image pull policy Defaults to image.pullPolicy if omitted
test.imagePullSecrets📜
Type: list
- name: private-registry
Description: Image pull secrets
test.resources.limits📜
Type: object
cpu: 100m
memory: 256Mi
Description: Pod resource limits
test.resources.requests📜
Type: object
cpu: 10m
memory: 64Mi
Description: Pod resource requests
test.podSecurityContext📜
Type: object
runAsGroup: 65534
runAsNonRoot: true
runAsUser: 65534
Description: Security context for the test pod
test.securityContext📜
Type: object
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 65534
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault
Description: Security context for the test containers
customLabels📜
Type: object
{}
Description: Additional labels
webhooksCleanup.enabled📜
Type: bool
true
Description: Create a helm pre-delete hook to cleanup webhooks.
webhooksCleanup.autoDeleteWebhooks.enabled📜
Type: bool
false
Description: Allow webhooks controller to delete webhooks using finalizers
webhooksCleanup.image.registry📜
Type: string
"registry1.dso.mil"
Description: Image registry
webhooksCleanup.image.repository📜
Type: string
"ironbank/opensource/kubernetes/kubectl"
Description: Image repository
webhooksCleanup.image.tag📜
Type: string
"v1.30.10"
Description: Image tag Defaults to latest if omitted
webhooksCleanup.image.pullPolicy📜
Type: string
nil
Description: Image pull policy Defaults to image.pullPolicy if omitted
webhooksCleanup.imagePullSecrets📜
Type: list
- name: private-registry
Description: Image pull secrets
webhooksCleanup.automountServiceAccountToken.enabled📜
Type: bool
true
webhooksCleanup.podSecurityContext📜
Type: object
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001
Description: Security context for the pod
webhooksCleanup.nodeSelector📜
Type: object
{}
Description: Node labels for pod assignment
webhooksCleanup.tolerations📜
Type: list
[]
Description: List of node taints to tolerate
webhooksCleanup.podAntiAffinity📜
Type: object
{}
Description: Pod anti affinity constraints.
webhooksCleanup.podAffinity📜
Type: object
{}
Description: Pod affinity constraints.
webhooksCleanup.podLabels📜
Type: object
{}
Description: Pod labels.
webhooksCleanup.podAnnotations📜
Type: object
{}
Description: Pod annotations.
webhooksCleanup.nodeAffinity📜
Type: object
{}
Description: Node affinity constraints.
webhooksCleanup.securityContext📜
Type: object
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001
seccompProfile:
type: RuntimeDefault
Description: Security context for the hook containers
webhooksCleanup.resources📜
Type: object
limits:
cpu: '0.5'
memory: 256Mi
requests:
cpu: '0.5'
memory: 256Mi
Description: Resource limits for the containers
policyReportsCleanup.enabled📜
Type: bool
false
Description: Create a helm post-upgrade hook to cleanup the old policy reports.
policyReportsCleanup.automountServiceAccountToken.enabled📜
Type: bool
true
policyReportsCleanup.image.registry📜
Type: string
"registry1.dso.mil"
Description: Image registry
policyReportsCleanup.image.repository📜
Type: string
"ironbank/opensource/kubernetes/kubectl"
Description: Image repository
policyReportsCleanup.image.tag📜
Type: string
"v1.30.10"
Description: Image tag Defaults to latest if omitted
policyReportsCleanup.image.pullPolicy📜
Type: string
nil
Description: Image pull policy Defaults to image.pullPolicy if omitted
policyReportsCleanup.imagePullSecrets📜
Type: list
- name: private-registry
Description: Image pull secrets
policyReportsCleanup.podSecurityContext📜
Type: object
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001
Description: Security context for the pod
policyReportsCleanup.nodeSelector📜
Type: object
{}
Description: Node labels for pod assignment
policyReportsCleanup.tolerations📜
Type: list
[]
Description: List of node taints to tolerate
policyReportsCleanup.podAntiAffinity📜
Type: object
{}
Description: Pod anti affinity constraints.
policyReportsCleanup.podAffinity📜
Type: object
{}
Description: Pod affinity constraints.
policyReportsCleanup.podLabels📜
Type: object
{}
Description: Pod labels.
policyReportsCleanup.podAnnotations📜
Type: object
{}
Description: Pod annotations.
policyReportsCleanup.nodeAffinity📜
Type: object
{}
Description: Node affinity constraints.
policyReportsCleanup.securityContext📜
Type: object
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001
seccompProfile:
type: RuntimeDefault
Description: Security context for the hook containers
policyReportsCleanup.resources📜
Type: object
limits:
cpu: '1'
memory: 512Mi
requests:
cpu: '0.5'
memory: 256Mi
Description: Resource limits for the containers
grafana.enabled📜
Type: bool
false
Description: Enable grafana dashboard creation.
grafana.configMapName📜
Type: string
"{{ include \"kyverno.fullname\" . }}-grafana"
Description: Configmap name template.
grafana.namespace📜
Type: string
nil
Description: Namespace to create the grafana dashboard configmap. If not set, it will be created in the same namespace where the chart is deployed.
grafana.annotations📜
Type: object
{}
Description: Grafana dashboard configmap annotations.
grafana.labels📜
Type: object
grafana_dashboard: '1'
Description: Grafana dashboard configmap labels
grafana.grafanaDashboard📜
Type: object
allowCrossNamespaceImport: true
create: false
folder: kyverno
matchLabels:
dashboards: grafana
Description: create GrafanaDashboard custom resource referencing to the configMap. according to https://grafana-operator.github.io/grafana-operator/docs/examples/dashboard_from_configmap/readme/
features.admissionReports.enabled📜
Type: bool
true
Description: Enables the feature
features.aggregateReports.enabled📜
Type: bool
true
Description: Enables the feature
features.policyReports.enabled📜
Type: bool
true
Description: Enables the feature
features.validatingAdmissionPolicyReports.enabled📜
Type: bool
false
Description: Enables the feature
features.reporting.validate📜
Type: bool
true
Description: Enables the feature
features.reporting.mutate📜
Type: bool
true
Description: Enables the feature
features.reporting.mutateExisting📜
Type: bool
true
Description: Enables the feature
features.reporting.imageVerify📜
Type: bool
true
Description: Enables the feature
features.reporting.generate📜
Type: bool
true
Description: Enables the feature
features.autoUpdateWebhooks.enabled📜
Type: bool
true
Description: Enables the feature
features.backgroundScan.enabled📜
Type: bool
true
Description: Enables the feature
features.backgroundScan.backgroundScanWorkers📜
Type: int
2
Description: Number of background scan workers
features.backgroundScan.backgroundScanInterval📜
Type: string
"1h"
Description: Background scan interval
features.backgroundScan.skipResourceFilters📜
Type: bool
true
Description: Skips resource filters in background scan
features.configMapCaching.enabled📜
Type: bool
true
Description: Enables the feature
features.deferredLoading.enabled📜
Type: bool
true
Description: Enables the feature
features.dumpPayload.enabled📜
Type: bool
false
Description: Enables the feature
features.forceFailurePolicyIgnore.enabled📜
Type: bool
false
Description: Enables the feature
features.generateValidatingAdmissionPolicy.enabled📜
Type: bool
false
Description: Enables the feature
features.dumpPatches.enabled📜
Type: bool
false
Description: Enables the feature
features.globalContext.maxApiCallResponseLength📜
Type: int
2000000
Description: Maximum allowed response size from API Calls. A value of 0 bypasses checks (not recommended)
features.logging.format📜
Type: string
"text"
Description: Logging format
features.logging.verbosity📜
Type: int
2
Description: Logging verbosity
features.omitEvents.eventTypes📜
Type: list
- PolicyApplied
- PolicySkipped
Description: Events which should not be emitted (possible values PolicyViolation, PolicyApplied, PolicyError, and PolicySkipped)
features.policyExceptions.enabled📜
Type: bool
false
Description: Enables the feature
features.policyExceptions.namespace📜
Type: string
"kyverno"
Description: Restrict policy exceptions to a single namespace
features.protectManagedResources.enabled📜
Type: bool
false
Description: Enables the feature
features.registryClient.allowInsecure📜
Type: bool
false
Description: Allow insecure registry
features.registryClient.credentialHelpers📜
Type: list
- default
- google
- amazon
- azure
- github
Description: Enable registry client helpers
features.ttlController.reconciliationInterval📜
Type: string
"1m"
Description: Reconciliation interval for the label based cleanup manager
features.tuf.enabled📜
Type: bool
false
Description: Enables the feature
features.tuf.root📜
Type: string
nil
Description: Path to Tuf root
features.tuf.rootRaw📜
Type: string
nil
Description: Raw Tuf root
features.tuf.mirror📜
Type: string
nil
Description: Tuf mirror
cleanupJobs.rbac.serviceAccount.automountServiceAccountToken.enabled📜
Type: bool
false
cleanupJobs.admissionReports.enabled📜
Type: bool
true
Description: Enable cleanup cronjob
cleanupJobs.admissionReports.automountServiceAccountToken.enabled📜
Type: bool
true
cleanupJobs.admissionReports.backoffLimit📜
Type: int
3
Description: Maximum number of retries before considering a Job as failed. Defaults to 3.
cleanupJobs.admissionReports.image.registry📜
Type: string
"registry1.dso.mil"
Description: Image registry
cleanupJobs.admissionReports.image.repository📜
Type: string
"ironbank/opensource/kubernetes/kubectl"
Description: Image repository
cleanupJobs.admissionReports.image.tag📜
Type: string
"v1.30.10"
Description: Image tag Defaults to latest if omitted
cleanupJobs.admissionReports.image.pullPolicy📜
Type: string
nil
Description: Image pull policy Defaults to image.pullPolicy if omitted
cleanupJobs.admissionReports.imagePullSecrets📜
Type: list
- name: private-registry
Description: Image pull secrets
cleanupJobs.admissionReports.schedule📜
Type: string
"*/10 * * * *"
Description: Cronjob schedule
cleanupJobs.admissionReports.threshold📜
Type: int
10000
Description: Reports threshold, if number of reports are above this value the cronjob will start deleting them
cleanupJobs.admissionReports.history📜
Type: object
failure: 1
success: 1
Description: Cronjob history
cleanupJobs.admissionReports.podSecurityContext📜
Type: object
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
Description: Security context for the pod
cleanupJobs.admissionReports.securityContext📜
Type: object
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
Description: Security context for the containers
cleanupJobs.admissionReports.priorityClassName📜
Type: string
""
Description: Pod PriorityClassName
cleanupJobs.admissionReports.resources📜
Type: object
{}
Description: Job resources
cleanupJobs.admissionReports.tolerations📜
Type: list
[]
Description: List of node taints to tolerate
cleanupJobs.admissionReports.nodeSelector📜
Type: object
{}
Description: Node labels for pod assignment
cleanupJobs.admissionReports.podAnnotations📜
Type: object
{}
Description: Pod Annotations
cleanupJobs.admissionReports.podLabels📜
Type: object
{}
Description: Pod labels
cleanupJobs.admissionReports.podAntiAffinity📜
Type: object
{}
Description: Pod anti affinity constraints.
cleanupJobs.admissionReports.podAffinity📜
Type: object
{}
Description: Pod affinity constraints.
cleanupJobs.admissionReports.nodeAffinity📜
Type: object
{}
Description: Node affinity constraints.
cleanupJobs.clusterAdmissionReports.enabled📜
Type: bool
true
Description: Enable cleanup cronjob
cleanupJobs.clusterAdmissionReports.automountServiceAccountToken.enabled📜
Type: bool
true
cleanupJobs.clusterAdmissionReports.backoffLimit📜
Type: int
3
Description: Maximum number of retries before considering a Job as failed. Defaults to 3.
cleanupJobs.clusterAdmissionReports.image.registry📜
Type: string
"registry1.dso.mil"
Description: Image registry
cleanupJobs.clusterAdmissionReports.image.repository📜
Type: string
"ironbank/opensource/kubernetes/kubectl"
Description: Image repository
cleanupJobs.clusterAdmissionReports.image.tag📜
Type: string
"v1.30.10"
Description: Image tag Defaults to latest if omitted
cleanupJobs.clusterAdmissionReports.image.pullPolicy📜
Type: string
nil
Description: Image pull policy Defaults to image.pullPolicy if omitted
cleanupJobs.clusterAdmissionReports.imagePullSecrets📜
Type: list
- name: private-registry
Description: Image pull secrets
cleanupJobs.clusterAdmissionReports.schedule📜
Type: string
"*/10 * * * *"
Description: Cronjob schedule
cleanupJobs.clusterAdmissionReports.threshold📜
Type: int
10000
Description: Reports threshold, if number of reports are above this value the cronjob will start deleting them
cleanupJobs.clusterAdmissionReports.history📜
Type: object
failure: 1
success: 1
Description: Cronjob history
cleanupJobs.clusterAdmissionReports.podSecurityContext📜
Type: object
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
Description: Security context for the pod
cleanupJobs.clusterAdmissionReports.securityContext📜
Type: object
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
Description: Security context for the containers
cleanupJobs.clusterAdmissionReports.priorityClassName📜
Type: string
""
Description: Pod PriorityClassName
cleanupJobs.clusterAdmissionReports.resources📜
Type: object
{}
Description: Job resources
cleanupJobs.clusterAdmissionReports.tolerations📜
Type: list
[]
Description: List of node taints to tolerate
cleanupJobs.clusterAdmissionReports.nodeSelector📜
Type: object
{}
Description: Node labels for pod assignment
cleanupJobs.clusterAdmissionReports.podAnnotations📜
Type: object
{}
Description: Pod Annotations
cleanupJobs.clusterAdmissionReports.podLabels📜
Type: object
{}
Description: Pod Labels
cleanupJobs.clusterAdmissionReports.podAntiAffinity📜
Type: object
{}
Description: Pod anti affinity constraints.
cleanupJobs.clusterAdmissionReports.podAffinity📜
Type: object
{}
Description: Pod affinity constraints.
cleanupJobs.clusterAdmissionReports.nodeAffinity📜
Type: object
{}
Description: Node affinity constraints.
cleanupJobs.updateRequests.enabled📜
Type: bool
true
Description: Enable cleanup cronjob
cleanupJobs.updateRequests.automountServiceAccountToken.enabled📜
Type: bool
true
cleanupJobs.updateRequests.backoffLimit📜
Type: int
3
Description: Maximum number of retries before considering a Job as failed. Defaults to 3.
cleanupJobs.updateRequests.ttlSecondsAfterFinished📜
Type: string
""
Description: Time until the pod from the cronjob is deleted
cleanupJobs.updateRequests.image.registry📜
Type: string
"registry1.dso.mil"
Description: Image registry
cleanupJobs.updateRequests.image.repository📜
Type: string
"ironbank/opensource/kubernetes/kubectl"
Description: Image repository
cleanupJobs.updateRequests.image.tag📜
Type: string
"v1.30.10"
Description: Image tag Defaults to latest if omitted
cleanupJobs.updateRequests.image.pullPolicy📜
Type: string
nil
Description: Image pull policy Defaults to image.pullPolicy if omitted
cleanupJobs.updateRequests.imagePullSecrets📜
Type: list
- name: private-registry
Description: Image pull secrets
cleanupJobs.updateRequests.schedule📜
Type: string
"*/10 * * * *"
Description: Cronjob schedule
cleanupJobs.updateRequests.threshold📜
Type: int
10000
Description: Reports threshold, if number of updateRequests are above this value the cronjob will start deleting them
cleanupJobs.updateRequests.history📜
Type: object
failure: 1
success: 1
Description: Cronjob history
cleanupJobs.updateRequests.podSecurityContext📜
Type: object
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
Description: Security context for the pod
cleanupJobs.updateRequests.securityContext📜
Type: object
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
Description: Security context for the containers
cleanupJobs.updateRequests.priorityClassName📜
Type: string
""
Description: Pod PriorityClassName
cleanupJobs.updateRequests.resources📜
Type: object
{}
Description: Job resources
cleanupJobs.updateRequests.tolerations📜
Type: list
[]
Description: List of node taints to tolerate
cleanupJobs.updateRequests.nodeSelector📜
Type: object
{}
Description: Node labels for pod assignment
cleanupJobs.updateRequests.podAnnotations📜
Type: object
{}
Description: Pod Annotations
cleanupJobs.updateRequests.podLabels📜
Type: object
{}
Description: Pod labels
cleanupJobs.updateRequests.podAntiAffinity📜
Type: object
{}
Description: Pod anti affinity constraints.
cleanupJobs.updateRequests.podAffinity📜
Type: object
{}
Description: Pod affinity constraints.
cleanupJobs.updateRequests.nodeAffinity📜
Type: object
{}
Description: Node affinity constraints.
cleanupJobs.ephemeralReports.enabled📜
Type: bool
true
Description: Enable cleanup cronjob
cleanupJobs.ephemeralReports.automountServiceAccountToken.enabled📜
Type: bool
true
cleanupJobs.ephemeralReports.backoffLimit📜
Type: int
3
Description: Maximum number of retries before considering a Job as failed. Defaults to 3.
cleanupJobs.ephemeralReports.ttlSecondsAfterFinished📜
Type: string
""
Description: Time until the pod from the cronjob is deleted
cleanupJobs.ephemeralReports.image.registry📜
Type: string
"registry1.dso.mil"
Description: Image registry
cleanupJobs.ephemeralReports.image.repository📜
Type: string
"ironbank/opensource/kubernetes/kubectl"
Description: Image repository
cleanupJobs.ephemeralReports.image.tag📜
Type: string
"v1.30.10"
Description: Image tag Defaults to latest if omitted
cleanupJobs.ephemeralReports.image.pullPolicy📜
Type: string
nil
Description: Image pull policy Defaults to image.pullPolicy if omitted
cleanupJobs.ephemeralReports.imagePullSecrets📜
Type: list
- name: private-registry
Description: Image pull secrets
cleanupJobs.ephemeralReports.schedule📜
Type: string
"*/10 * * * *"
Description: Cronjob schedule
cleanupJobs.ephemeralReports.threshold📜
Type: int
10000
Description: Reports threshold, if number of updateRequests are above this value the cronjob will start deleting them
cleanupJobs.ephemeralReports.history📜
Type: object
failure: 1
success: 1
Description: Cronjob history
cleanupJobs.ephemeralReports.podSecurityContext📜
Type: object
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001
Description: Security context for the pod
cleanupJobs.ephemeralReports.securityContext📜
Type: object
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
Description: Security context for the containers
cleanupJobs.ephemeralReports.priorityClassName📜
Type: string
""
Description: Pod PriorityClassName
cleanupJobs.ephemeralReports.resources📜
Type: object
{}
Description: Job resources
cleanupJobs.ephemeralReports.tolerations📜
Type: list
[]
Description: List of node taints to tolerate
cleanupJobs.ephemeralReports.nodeSelector📜
Type: object
{}
Description: Node labels for pod assignment
cleanupJobs.ephemeralReports.podAnnotations📜
Type: object
{}
Description: Pod Annotations
cleanupJobs.ephemeralReports.podLabels📜
Type: object
{}
Description: Pod labels
cleanupJobs.ephemeralReports.podAntiAffinity📜
Type: object
{}
Description: Pod anti affinity constraints.
cleanupJobs.ephemeralReports.podAffinity📜
Type: object
{}
Description: Pod affinity constraints.
cleanupJobs.ephemeralReports.nodeAffinity📜
Type: object
{}
Description: Node affinity constraints.
cleanupJobs.clusterEphemeralReports.enabled📜
Type: bool
true
Description: Enable cleanup cronjob
cleanupJobs.clusterEphemeralReports.automountServiceAccountToken.enabled📜
Type: bool
true
cleanupJobs.clusterEphemeralReports.backoffLimit📜
Type: int
3
Description: Maximum number of retries before considering a Job as failed. Defaults to 3.
cleanupJobs.clusterEphemeralReports.ttlSecondsAfterFinished📜
Type: string
""
Description: Time until the pod from the cronjob is deleted
cleanupJobs.clusterEphemeralReports.image.registry📜
Type: string
"registry1.dso.mil"
Description: Image registry
cleanupJobs.clusterEphemeralReports.image.repository📜
Type: string
"ironbank/opensource/kubernetes/kubectl"
Description: Image repository
cleanupJobs.clusterEphemeralReports.image.tag📜
Type: string
"v1.30.10"
Description: Image tag Defaults to latest if omitted
cleanupJobs.clusterEphemeralReports.image.pullPolicy📜
Type: string
nil
Description: Image pull policy Defaults to image.pullPolicy if omitted
cleanupJobs.clusterEphemeralReports.imagePullSecrets📜
Type: list
- name: private-registry
Description: Image pull secrets
cleanupJobs.clusterEphemeralReports.schedule📜
Type: string
"*/10 * * * *"
Description: Cronjob schedule
cleanupJobs.clusterEphemeralReports.threshold📜
Type: int
10000
Description: Reports threshold, if number of reports are above this value the cronjob will start deleting them
cleanupJobs.clusterEphemeralReports.history📜
Type: object
failure: 1
success: 1
Description: Cronjob history
cleanupJobs.clusterEphemeralReports.podSecurityContext📜
Type: object
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001
Description: Security context for the pod
cleanupJobs.clusterEphemeralReports.securityContext📜
Type: object
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
Description: Security context for the containers
cleanupJobs.clusterEphemeralReports.priorityClassName📜
Type: string
""
Description: Pod PriorityClassName
cleanupJobs.clusterEphemeralReports.resources📜
Type: object
{}
Description: Job resources
cleanupJobs.clusterEphemeralReports.tolerations📜
Type: list
[]
Description: List of node taints to tolerate
cleanupJobs.clusterEphemeralReports.nodeSelector📜
Type: object
{}
Description: Node labels for pod assignment
cleanupJobs.clusterEphemeralReports.podAnnotations📜
Type: object
{}
Description: Pod Annotations
cleanupJobs.clusterEphemeralReports.podLabels📜
Type: object
{}
Description: Pod Labels
cleanupJobs.clusterEphemeralReports.podAntiAffinity📜
Type: object
{}
Description: Pod anti affinity constraints.
cleanupJobs.clusterEphemeralReports.podAffinity📜
Type: object
{}
Description: Pod affinity constraints.
cleanupJobs.clusterEphemeralReports.nodeAffinity📜
Type: object
{}
Description: Node affinity constraints.
admissionController.featuresOverride📜
Type: object
admissionReports:
backPressureThreshold: 1000
Description: Overrides features defined at the root level
admissionController.featuresOverride.admissionReports.backPressureThreshold📜
Type: int
1000
Description: Max number of admission reports allowed in flight until the admission controller stops creating new ones
admissionController.rbac.create📜
Type: bool
true
Description: Create RBAC resources
admissionController.rbac.createViewRoleBinding📜
Type: bool
true
Description: Create rolebinding to view role
admissionController.rbac.viewRoleName📜
Type: string
"view"
Description: The view role to use in the rolebinding
admissionController.rbac.serviceAccount.name📜
Type: string
nil
Description: The ServiceAccount name
admissionController.rbac.serviceAccount.annotations📜
Type: object
{}
Description: Annotations for the ServiceAccount
admissionController.rbac.serviceAccount.automountServiceAccountToken.enabled📜
Type: bool
false
admissionController.rbac.deployment.automountServiceAccountToken.enabled📜
Type: bool
true
admissionController.rbac.clusterRole.extraResources📜
Type: list
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
Description: Extra resource permissions to add in the cluster role
admissionController.createSelfSignedCert📜
Type: bool
false
Description: Create self-signed certificates at deployment time. The certificates won’t be automatically renewed if this is set to true.
admissionController.replicas📜
Type: int
3
Description: Desired number of pods
admissionController.revisionHistoryLimit📜
Type: int
10
Description: The number of revisions to keep
admissionController.resyncPeriod📜
Type: string
"15m"
Description: Resync period for informers
admissionController.podLabels📜
Type: object
{}
Description: Additional labels to add to each pod
admissionController.podAnnotations📜
Type: object
{}
Description: Additional annotations to add to each pod
admissionController.annotations📜
Type: object
{}
Description: Deployment annotations.
admissionController.priorityClassName📜
Type: string
""
Description: Optional priority class
admissionController.apiPriorityAndFairness📜
Type: bool
false
Description: Change apiPriorityAndFairness to true if you want to insulate the API calls made by Kyverno admission controller activities. This will help ensure Kyverno stability in busy clusters. Ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/
admissionController.hostNetwork📜
Type: bool
false
Description: Change hostNetwork to true when you want the pod to share its host’s network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the dnsPolicy accordingly as well to suit the host network mode.
admissionController.webhookServer📜
Type: object
port: 9443
Description: admissionController webhook server port in case you are using hostNetwork: true, you might want to change the port the webhookServer is listening to
admissionController.dnsPolicy📜
Type: string
"ClusterFirst"
Description: dnsPolicy determines the manner in which DNS resolution happens in the cluster. In case of hostNetwork: true, usually, the dnsPolicy is suitable to be ClusterFirstWithHostNet. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
admissionController.nodeSelector📜
Type: object
{}
Description: Node labels for pod assignment
admissionController.tolerations📜
Type: list
[]
Description: List of node taints to tolerate
admissionController.antiAffinity.enabled📜
Type: bool
true
Description: Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node.
admissionController.podAffinity📜
Type: object
{}
Description: Pod affinity constraints.
admissionController.nodeAffinity📜
Type: object
{}
Description: Node affinity constraints.
admissionController.topologySpreadConstraints📜
Type: list
[]
Description: Topology spread constraints.
admissionController.podSecurityContext📜
Type: object
runAsGroup: 10001
runAsNonRoot: true
runAsUser: 10001
Description: Security context for the pod
admissionController.podDisruptionBudget.enabled📜
Type: bool
false
Description: Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.
admissionController.podDisruptionBudget.minAvailable📜
Type: int
1
Description: Configures the minimum available pods for disruptions. Cannot be used if maxUnavailable is set.
admissionController.podDisruptionBudget.maxUnavailable📜
Type: string
nil
Description: Configures the maximum unavailable pods for disruptions. Cannot be used if minAvailable is set.
admissionController.tufRootMountPath📜
Type: string
"/.sigstore"
Description: A writable volume to use for the TUF root initialization.
admissionController.sigstoreVolume📜
Type: object
emptyDir: {}
Description: Volume to be mounted in pods for TUF/cosign work.
admissionController.caCertificates.data📜
Type: string
nil
Description: CA certificates to use with Kyverno deployments This value is expected to be one large string of CA certificates
admissionController.caCertificates.volume📜
Type: object
{}
Description: Volume to be mounted for CA certificates Not used when .Values.admissionController.caCertificates.data is defined
admissionController.imagePullSecrets📜
Type: list
- name: private-registry
Description: Image pull secrets
admissionController.initContainer.image.registry📜
Type: string
nil
Description: Image registry
admissionController.initContainer.image.defaultRegistry📜
Type: string
"registry1.dso.mil"
admissionController.initContainer.image.repository📜
Type: string
"ironbank/opensource/kyverno/kyvernopre"
Description: Image repository
admissionController.initContainer.image.tag📜
Type: string
"v1.13.4"
Description: Image tag If missing, defaults to image.tag
admissionController.initContainer.image.pullPolicy📜
Type: string
nil
Description: Image pull policy If missing, defaults to image.pullPolicy
admissionController.initContainer.resources.limits📜
Type: object
cpu: 1
memory: 1Gi
Description: Pod resource limits
admissionController.initContainer.resources.requests📜
Type: object
cpu: 10m
memory: 64Mi
Description: Pod resource requests
admissionController.initContainer.securityContext📜
Type: object
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 10001
runAsNonRoot: true
runAsUser: 10001
seccompProfile:
type: RuntimeDefault
Description: Container security context
admissionController.initContainer.extraArgs📜
Type: object
{}
Description: Additional container args.
admissionController.initContainer.extraEnvVars📜
Type: list
[]
Description: Additional container environment variables.
admissionController.container.image.registry📜
Type: string
nil
Description: Image registry
admissionController.container.image.defaultRegistry📜
Type: string
"registry1.dso.mil"
admissionController.container.image.repository📜
Type: string
"ironbank/opensource/kyverno"
Description: Image repository
admissionController.container.image.tag📜
Type: string
"v1.13.4"
Description: Image tag Defaults to appVersion in Chart.yaml if omitted
admissionController.container.image.pullPolicy📜
Type: string
"IfNotPresent"
Description: Image pull policy
admissionController.container.imagePullSecrets📜
Type: list
- name: private-registry
Description: Image pull secrets
admissionController.container.resources.limits📜
Type: object
cpu: 500m
memory: 512Mi
Description: Pod resource limits
admissionController.container.resources.requests📜
Type: object
cpu: 500m
memory: 512Mi
Description: Pod resource requests
admissionController.container.securityContext📜
Type: object
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 10001
runAsNonRoot: true
runAsUser: 10001
seccompProfile:
type: RuntimeDefault
Description: Container security context
admissionController.container.extraArgs📜
Type: object
{}
Description: Additional container args.
admissionController.container.extraEnvVars📜
Type: list
[]
Description: Additional container environment variables.
admissionController.extraInitContainers📜
Type: list
[]
Description: Array of extra init containers
admissionController.extraContainers📜
Type: list
[]
Description: Array of extra containers to run alongside kyverno
admissionController.service.port📜
Type: int
443
Description: Service port.
admissionController.service.type📜
Type: string
"ClusterIP"
Description: Service type.
admissionController.service.nodePort📜
Type: string
nil
Description: Service node port. Only used if type is NodePort.
admissionController.service.annotations📜
Type: object
{}
Description: Service annotations.
admissionController.metricsService.create📜
Type: bool
true
Description: Create service.
admissionController.metricsService.port📜
Type: int
8000
Description: Service port. Kyverno’s metrics server will be exposed at this port.
admissionController.metricsService.type📜
Type: string
"ClusterIP"
Description: Service type.
admissionController.metricsService.nodePort📜
Type: string
nil
Description: Service node port. Only used if type is NodePort.
admissionController.metricsService.annotations📜
Type: object
{}
Description: Service annotations.
admissionController.networkPolicy.enabled📜
Type: bool
false
Description: When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
admissionController.networkPolicy.ingressFrom📜
Type: list
[]
Description: A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
admissionController.serviceMonitor.enabled📜
Type: bool
false
Description: Create a ServiceMonitor to collect Prometheus metrics.
admissionController.serviceMonitor.additionalLabels📜
Type: object
{}
Description: Additional labels
admissionController.serviceMonitor.namespace📜
Type: string
nil
Description: Override namespace
admissionController.serviceMonitor.interval📜
Type: string
"30s"
Description: Interval to scrape metrics
admissionController.serviceMonitor.scrapeTimeout📜
Type: string
"25s"
Description: Timeout if metrics can’t be retrieved in given time interval
admissionController.serviceMonitor.secure📜
Type: bool
false
Description: Is TLS required for endpoint
admissionController.serviceMonitor.tlsConfig📜
Type: object
{}
Description: TLS Configuration for endpoint
admissionController.serviceMonitor.relabelings📜
Type: list
[]
Description: RelabelConfigs to apply to samples before scraping
admissionController.serviceMonitor.metricRelabelings📜
Type: list
[]
Description: MetricRelabelConfigs to apply to samples before ingestion.
admissionController.tracing.enabled📜
Type: bool
false
Description: Enable tracing
admissionController.tracing.address📜
Type: string
nil
Description: Traces receiver address
admissionController.tracing.port📜
Type: string
nil
Description: Traces receiver port
admissionController.tracing.creds📜
Type: string
""
Description: Traces receiver credentials
admissionController.metering.disabled📜
Type: bool
false
Description: Disable metrics export
admissionController.metering.config📜
Type: string
"prometheus"
Description: Otel configuration, can be prometheus or grpc
admissionController.metering.port📜
Type: int
8000
Description: Prometheus endpoint port
admissionController.metering.collector📜
Type: string
""
Description: Otel collector endpoint
admissionController.metering.creds📜
Type: string
""
Description: Otel collector credentials
admissionController.profiling.enabled📜
Type: bool
false
Description: Enable profiling
admissionController.profiling.port📜
Type: int
6060
Description: Profiling endpoint port
admissionController.profiling.serviceType📜
Type: string
"ClusterIP"
Description: Service type.
admissionController.profiling.nodePort📜
Type: string
nil
Description: Service node port. Only used if type is NodePort.
backgroundController.featuresOverride📜
Type: object
{}
Description: Overrides features defined at the root level
backgroundController.enabled📜
Type: bool
true
Description: Enable background controller.
backgroundController.rbac.create📜
Type: bool
true
Description: Create RBAC resources
backgroundController.rbac.createViewRoleBinding📜
Type: bool
true
Description: Create rolebinding to view role
backgroundController.rbac.viewRoleName📜
Type: string
"view"
Description: The view role to use in the rolebinding
backgroundController.rbac.serviceAccount.name📜
Type: string
nil
Description: Service account name
backgroundController.rbac.serviceAccount.annotations📜
Type: object
{}
Description: Annotations for the ServiceAccount
backgroundController.rbac.serviceAccount.automountServiceAccountToken.enabled📜
Type: bool
false
backgroundController.rbac.deployment.automountServiceAccountToken.enabled📜
Type: bool
true
backgroundController.rbac.clusterRole.extraResources📜
Type: list
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- '*'
resources:
- secrets
verbs:
- create
- update
- delete
Description: Extra resource permissions to add in the cluster role
backgroundController.image.registry📜
Type: string
nil
Description: Image registry
backgroundController.image.defaultRegistry📜
Type: string
"registry1.dso.mil"
backgroundController.image.repository📜
Type: string
"ironbank/opensource/kyverno/kyverno/background-controller"
Description: Image repository
backgroundController.image.tag📜
Type: string
"v1.13.4"
Description: Image tag Defaults to appVersion in Chart.yaml if omitted
backgroundController.image.pullPolicy📜
Type: string
"IfNotPresent"
Description: Image pull policy
backgroundController.imagePullSecrets📜
Type: list
- name: private-registry
Description: Image pull secrets
backgroundController.replicas📜
Type: int
nil
Description: Desired number of pods
backgroundController.revisionHistoryLimit📜
Type: int
10
Description: The number of revisions to keep
backgroundController.resyncPeriod📜
Type: string
"15m"
Description: Resync period for informers
backgroundController.podLabels📜
Type: object
{}
Description: Additional labels to add to each pod
backgroundController.podAnnotations📜
Type: object
{}
Description: Additional annotations to add to each pod
backgroundController.annotations📜
Type: object
{}
Description: Deployment annotations.
backgroundController.priorityClassName📜
Type: string
""
Description: Optional priority class
backgroundController.hostNetwork📜
Type: bool
false
Description: Change hostNetwork to true when you want the pod to share its host’s network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the dnsPolicy accordingly as well to suit the host network mode.
backgroundController.dnsPolicy📜
Type: string
"ClusterFirst"
Description: dnsPolicy determines the manner in which DNS resolution happens in the cluster. In case of hostNetwork: true, usually, the dnsPolicy is suitable to be ClusterFirstWithHostNet. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
backgroundController.extraArgs📜
Type: object
{}
Description: Extra arguments passed to the container on the command line
backgroundController.extraEnvVars📜
Type: list
[]
Description: Additional container environment variables.
backgroundController.resources.limits📜
Type: object
memory: 128Mi
Description: Pod resource limits
backgroundController.resources.requests📜
Type: object
cpu: 100m
memory: 64Mi
Description: Pod resource requests
backgroundController.nodeSelector📜
Type: object
{}
Description: Node labels for pod assignment
backgroundController.tolerations📜
Type: list
[]
Description: List of node taints to tolerate
backgroundController.antiAffinity.enabled📜
Type: bool
true
Description: Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node.
backgroundController.podAffinity📜
Type: object
{}
Description: Pod affinity constraints.
backgroundController.nodeAffinity📜
Type: object
{}
Description: Node affinity constraints.
backgroundController.topologySpreadConstraints📜
Type: list
[]
Description: Topology spread constraints.
backgroundController.podSecurityContext📜
Type: object
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
Description: Security context for the pod
backgroundController.securityContext📜
Type: object
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
Description: Security context for the containers
backgroundController.podDisruptionBudget.enabled📜
Type: bool
false
Description: Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.
backgroundController.podDisruptionBudget.minAvailable📜
Type: int
1
Description: Configures the minimum available pods for disruptions. Cannot be used if maxUnavailable is set.
backgroundController.podDisruptionBudget.maxUnavailable📜
Type: string
nil
Description: Configures the maximum unavailable pods for disruptions. Cannot be used if minAvailable is set.
backgroundController.caCertificates.data📜
Type: string
nil
Description: CA certificates to use with Kyverno deployments This value is expected to be one large string of CA certificates
backgroundController.caCertificates.volume📜
Type: object
{}
Description: Volume to be mounted for CA certificates Not used when .Values.backgroundController.caCertificates.data is defined
backgroundController.metricsService.create📜
Type: bool
true
Description: Create service.
backgroundController.metricsService.port📜
Type: int
8000
Description: Service port. Metrics server will be exposed at this port.
backgroundController.metricsService.type📜
Type: string
"ClusterIP"
Description: Service type.
backgroundController.metricsService.nodePort📜
Type: string
nil
Description: Service node port. Only used if metricsService.type is NodePort.
backgroundController.metricsService.annotations📜
Type: object
{}
Description: Service annotations.
backgroundController.networkPolicy.enabled📜
Type: bool
false
Description: When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
backgroundController.networkPolicy.ingressFrom📜
Type: list
[]
Description: A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
backgroundController.serviceMonitor.enabled📜
Type: bool
false
Description: Create a ServiceMonitor to collect Prometheus metrics.
backgroundController.serviceMonitor.additionalLabels📜
Type: object
{}
Description: Additional labels
backgroundController.serviceMonitor.namespace📜
Type: string
nil
Description: Override namespace
backgroundController.serviceMonitor.interval📜
Type: string
"30s"
Description: Interval to scrape metrics
backgroundController.serviceMonitor.scrapeTimeout📜
Type: string
"25s"
Description: Timeout if metrics can’t be retrieved in given time interval
backgroundController.serviceMonitor.secure📜
Type: bool
false
Description: Is TLS required for endpoint
backgroundController.serviceMonitor.tlsConfig📜
Type: object
{}
Description: TLS Configuration for endpoint
backgroundController.serviceMonitor.relabelings📜
Type: list
[]
Description: RelabelConfigs to apply to samples before scraping
backgroundController.serviceMonitor.metricRelabelings📜
Type: list
[]
Description: MetricRelabelConfigs to apply to samples before ingestion.
backgroundController.tracing.enabled📜
Type: bool
false
Description: Enable tracing
backgroundController.tracing.address📜
Type: string
nil
Description: Traces receiver address
backgroundController.tracing.port📜
Type: string
nil
Description: Traces receiver port
backgroundController.tracing.creds📜
Type: string
""
Description: Traces receiver credentials
backgroundController.metering.disabled📜
Type: bool
false
Description: Disable metrics export
backgroundController.metering.config📜
Type: string
"prometheus"
Description: Otel configuration, can be prometheus or grpc
backgroundController.metering.port📜
Type: int
8000
Description: Prometheus endpoint port
backgroundController.metering.collector📜
Type: string
""
Description: Otel collector endpoint
backgroundController.metering.creds📜
Type: string
""
Description: Otel collector credentials
backgroundController.server📜
Type: object
port: 9443
Description: backgroundController server port in case you are using hostNetwork: true, you might want to change the port the backgroundController is listening to
backgroundController.profiling.enabled📜
Type: bool
false
Description: Enable profiling
backgroundController.profiling.port📜
Type: int
6060
Description: Profiling endpoint port
backgroundController.profiling.serviceType📜
Type: string
"ClusterIP"
Description: Service type.
backgroundController.profiling.nodePort📜
Type: string
nil
Description: Service node port. Only used if type is NodePort.
cleanupController.featuresOverride📜
Type: object
{}
Description: Overrides features defined at the root level
cleanupController.enabled📜
Type: bool
true
Description: Enable cleanup controller.
cleanupController.rbac.create📜
Type: bool
true
Description: Create RBAC resources
cleanupController.rbac.serviceAccount.name📜
Type: string
nil
Description: Service account name
cleanupController.rbac.serviceAccount.annotations📜
Type: object
{}
Description: Annotations for the ServiceAccount
cleanupController.rbac.serviceAccount.automountServiceAccountToken.enabled📜
Type: bool
false
cleanupController.rbac.deployment.automountServiceAccountToken.enabled📜
Type: bool
true
cleanupController.rbac.clusterRole.extraResources📜
Type: list
[]
Description: Extra resource permissions to add in the cluster role
cleanupController.createSelfSignedCert📜
Type: bool
false
Description: Create self-signed certificates at deployment time. The certificates won’t be automatically renewed if this is set to true.
cleanupController.image.registry📜
Type: string
nil
Description: Image registry
cleanupController.image.defaultRegistry📜
Type: string
"registry1.dso.mil"
cleanupController.image.repository📜
Type: string
"ironbank/opensource/kyverno/kyverno/cleanup-controller"
Description: Image repository
cleanupController.image.tag📜
Type: string
"v1.13.4"
Description: Image tag Defaults to appVersion in Chart.yaml if omitted
cleanupController.image.pullPolicy📜
Type: string
"IfNotPresent"
Description: Image pull policy
cleanupController.imagePullSecrets📜
Type: list
- name: private-registry
Description: Image pull secrets
cleanupController.replicas📜
Type: int
nil
Description: Desired number of pods
cleanupController.revisionHistoryLimit📜
Type: int
10
Description: The number of revisions to keep
cleanupController.resyncPeriod📜
Type: string
"15m"
Description: Resync period for informers
cleanupController.podLabels📜
Type: object
{}
Description: Additional labels to add to each pod
cleanupController.podAnnotations📜
Type: object
{}
Description: Additional annotations to add to each pod
cleanupController.annotations📜
Type: object
{}
Description: Deployment annotations.
cleanupController.priorityClassName📜
Type: string
""
Description: Optional priority class
cleanupController.hostNetwork📜
Type: bool
false
Description: Change hostNetwork to true when you want the pod to share its host’s network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the dnsPolicy accordingly as well to suit the host network mode.
cleanupController.server📜
Type: object
port: 9443
Description: cleanupController server port in case you are using hostNetwork: true, you might want to change the port the cleanupController is listening to
cleanupController.webhookServer📜
Type: object
port: 9443
Description: cleanupController webhook server port in case you are using hostNetwork: true, you might want to change the port the webhookServer is listening to
cleanupController.dnsPolicy📜
Type: string
"ClusterFirst"
Description: dnsPolicy determines the manner in which DNS resolution happens in the cluster. In case of hostNetwork: true, usually, the dnsPolicy is suitable to be ClusterFirstWithHostNet. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
cleanupController.extraArgs📜
Type: object
{}
Description: Extra arguments passed to the container on the command line
cleanupController.extraEnvVars📜
Type: list
[]
Description: Additional container environment variables.
cleanupController.resources.limits📜
Type: object
memory: 128Mi
Description: Pod resource limits
cleanupController.resources.requests📜
Type: object
cpu: 100m
memory: 64Mi
Description: Pod resource requests
cleanupController.nodeSelector📜
Type: object
{}
Description: Node labels for pod assignment
cleanupController.tolerations📜
Type: list
[]
Description: List of node taints to tolerate
cleanupController.antiAffinity.enabled📜
Type: bool
true
Description: Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node.
cleanupController.podAffinity📜
Type: object
{}
Description: Pod affinity constraints.
cleanupController.nodeAffinity📜
Type: object
{}
Description: Node affinity constraints.
cleanupController.topologySpreadConstraints📜
Type: list
[]
Description: Topology spread constraints.
cleanupController.podSecurityContext📜
Type: object
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
Description: Security context for the pod
cleanupController.securityContext📜
Type: object
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
Description: Security context for the containers
cleanupController.podDisruptionBudget.enabled📜
Type: bool
false
Description: Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.
cleanupController.podDisruptionBudget.minAvailable📜
Type: int
1
Description: Configures the minimum available pods for disruptions. Cannot be used if maxUnavailable is set.
cleanupController.podDisruptionBudget.maxUnavailable📜
Type: string
nil
Description: Configures the maximum unavailable pods for disruptions. Cannot be used if minAvailable is set.
cleanupController.service.port📜
Type: int
443
Description: Service port.
cleanupController.service.type📜
Type: string
"ClusterIP"
Description: Service type.
cleanupController.service.nodePort📜
Type: string
nil
Description: Service node port. Only used if service.type is NodePort.
cleanupController.service.annotations📜
Type: object
{}
Description: Service annotations.
cleanupController.metricsService.create📜
Type: bool
true
Description: Create service.
cleanupController.metricsService.port📜
Type: int
8000
Description: Service port. Metrics server will be exposed at this port.
cleanupController.metricsService.type📜
Type: string
"ClusterIP"
Description: Service type.
cleanupController.metricsService.nodePort📜
Type: string
nil
Description: Service node port. Only used if metricsService.type is NodePort.
cleanupController.metricsService.annotations📜
Type: object
{}
Description: Service annotations.
cleanupController.networkPolicy.enabled📜
Type: bool
false
Description: When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
cleanupController.networkPolicy.ingressFrom📜
Type: list
[]
Description: A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
cleanupController.serviceMonitor.enabled📜
Type: bool
false
Description: Create a ServiceMonitor to collect Prometheus metrics.
cleanupController.serviceMonitor.additionalLabels📜
Type: object
{}
Description: Additional labels
cleanupController.serviceMonitor.namespace📜
Type: string
nil
Description: Override namespace
cleanupController.serviceMonitor.interval📜
Type: string
"30s"
Description: Interval to scrape metrics
cleanupController.serviceMonitor.scrapeTimeout📜
Type: string
"25s"
Description: Timeout if metrics can’t be retrieved in given time interval
cleanupController.serviceMonitor.secure📜
Type: bool
false
Description: Is TLS required for endpoint
cleanupController.serviceMonitor.tlsConfig📜
Type: object
{}
Description: TLS Configuration for endpoint
cleanupController.serviceMonitor.relabelings📜
Type: list
[]
Description: RelabelConfigs to apply to samples before scraping
cleanupController.serviceMonitor.metricRelabelings📜
Type: list
[]
Description: MetricRelabelConfigs to apply to samples before ingestion.
cleanupController.tracing.enabled📜
Type: bool
false
Description: Enable tracing
cleanupController.tracing.address📜
Type: string
nil
Description: Traces receiver address
cleanupController.tracing.port📜
Type: string
nil
Description: Traces receiver port
cleanupController.tracing.creds📜
Type: string
""
Description: Traces receiver credentials
cleanupController.metering.disabled📜
Type: bool
false
Description: Disable metrics export
cleanupController.metering.config📜
Type: string
"prometheus"
Description: Otel configuration, can be prometheus or grpc
cleanupController.metering.port📜
Type: int
8000
Description: Prometheus endpoint port
cleanupController.metering.collector📜
Type: string
""
Description: Otel collector endpoint
cleanupController.metering.creds📜
Type: string
""
Description: Otel collector credentials
cleanupController.profiling.enabled📜
Type: bool
false
Description: Enable profiling
cleanupController.profiling.port📜
Type: int
6060
Description: Profiling endpoint port
cleanupController.profiling.serviceType📜
Type: string
"ClusterIP"
Description: Service type.
cleanupController.profiling.nodePort📜
Type: string
nil
Description: Service node port. Only used if type is NodePort.
reportsController.featuresOverride📜
Type: object
{}
Description: Overrides features defined at the root level
reportsController.enabled📜
Type: bool
true
Description: Enable reports controller.
reportsController.rbac.create📜
Type: bool
true
Description: Create RBAC resources
reportsController.rbac.createViewRoleBinding📜
Type: bool
true
Description: Create rolebinding to view role
reportsController.rbac.viewRoleName📜
Type: string
"view"
Description: The view role to use in the rolebinding
reportsController.rbac.serviceAccount.name📜
Type: string
nil
Description: Service account name
reportsController.rbac.serviceAccount.annotations📜
Type: object
{}
Description: Annotations for the ServiceAccount
reportsController.rbac.serviceAccount.automountServiceAccountToken.enabled📜
Type: bool
false
reportsController.rbac.deployment.automountServiceAccountToken.enabled📜
Type: bool
true
reportsController.rbac.clusterRole.extraResources📜
Type: list
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
Description: Extra resource permissions to add in the cluster role
reportsController.image.registry📜
Type: string
nil
Description: Image registry
reportsController.image.defaultRegistry📜
Type: string
"registry1.dso.mil"
reportsController.image.repository📜
Type: string
"ironbank/opensource/kyverno/kyverno/reports-controller"
Description: Image repository
reportsController.image.tag📜
Type: string
"v1.13.4"
Description: Image tag Defaults to appVersion in Chart.yaml if omitted
reportsController.image.pullPolicy📜
Type: string
"IfNotPresent"
Description: Image pull policy
reportsController.imagePullSecrets📜
Type: list
- name: private-registry
Description: Image pull secrets
reportsController.replicas📜
Type: int
nil
Description: Desired number of pods
reportsController.revisionHistoryLimit📜
Type: int
10
Description: The number of revisions to keep
reportsController.resyncPeriod📜
Type: string
"15m"
Description: Resync period for informers
reportsController.podLabels📜
Type: object
{}
Description: Additional labels to add to each pod
reportsController.podAnnotations📜
Type: object
{}
Description: Additional annotations to add to each pod
reportsController.annotations📜
Type: object
{}
Description: Deployment annotations.
reportsController.priorityClassName📜
Type: string
""
Description: Optional priority class
reportsController.apiPriorityAndFairness📜
Type: bool
false
Description: Change apiPriorityAndFairness to true if you want to insulate the API calls made by Kyverno reports controller activities. This will help ensure Kyverno reports stability in busy clusters. Ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/
reportsController.hostNetwork📜
Type: bool
false
Description: Change hostNetwork to true when you want the pod to share its host’s network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the dnsPolicy accordingly as well to suit the host network mode.
reportsController.dnsPolicy📜
Type: string
"ClusterFirst"
Description: dnsPolicy determines the manner in which DNS resolution happens in the cluster. In case of hostNetwork: true, usually, the dnsPolicy is suitable to be ClusterFirstWithHostNet. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
reportsController.extraArgs📜
Type: object
{}
Description: Extra arguments passed to the container on the command line
reportsController.extraEnvVars📜
Type: list
[]
Description: Additional container environment variables.
reportsController.resources.limits📜
Type: object
memory: 128Mi
Description: Pod resource limits
reportsController.resources.requests📜
Type: object
cpu: 100m
memory: 64Mi
Description: Pod resource requests
reportsController.nodeSelector📜
Type: object
{}
Description: Node labels for pod assignment
reportsController.tolerations📜
Type: list
[]
Description: List of node taints to tolerate
reportsController.antiAffinity.enabled📜
Type: bool
true
Description: Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node.
reportsController.podAffinity📜
Type: object
{}
Description: Pod affinity constraints.
reportsController.nodeAffinity📜
Type: object
{}
Description: Node affinity constraints.
reportsController.topologySpreadConstraints📜
Type: list
[]
Description: Topology spread constraints.
reportsController.podSecurityContext📜
Type: object
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
Description: Security context for the pod
reportsController.securityContext📜
Type: object
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
Description: Security context for the containers
reportsController.podDisruptionBudget.enabled📜
Type: bool
false
Description: Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.
reportsController.podDisruptionBudget.minAvailable📜
Type: int
1
Description: Configures the minimum available pods for disruptions. Cannot be used if maxUnavailable is set.
reportsController.podDisruptionBudget.maxUnavailable📜
Type: string
nil
Description: Configures the maximum unavailable pods for disruptions. Cannot be used if minAvailable is set.
reportsController.tufRootMountPath📜
Type: string
"/.sigstore"
Description: A writable volume to use for the TUF root initialization.
reportsController.sigstoreVolume📜
Type: object
emptyDir: {}
Description: Volume to be mounted in pods for TUF/cosign work.
reportsController.caCertificates.data📜
Type: string
nil
Description: CA certificates to use with Kyverno deployments This value is expected to be one large string of CA certificates
reportsController.caCertificates.volume📜
Type: object
{}
Description: Volume to be mounted for CA certificates Not used when .Values.reportsController.caCertificates.data is defined
reportsController.metricsService.create📜
Type: bool
true
Description: Create service.
reportsController.metricsService.port📜
Type: int
8000
Description: Service port. Metrics server will be exposed at this port.
reportsController.metricsService.type📜
Type: string
"ClusterIP"
Description: Service type.
reportsController.metricsService.nodePort📜
Type: string
nil
Description: Service node port. Only used if type is NodePort.
reportsController.metricsService.annotations📜
Type: object
{}
Description: Service annotations.
reportsController.networkPolicy.enabled📜
Type: bool
false
Description: When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
reportsController.networkPolicy.ingressFrom📜
Type: list
[]
Description: A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
reportsController.serviceMonitor.enabled📜
Type: bool
false
Description: Create a ServiceMonitor to collect Prometheus metrics.
reportsController.serviceMonitor.additionalLabels📜
Type: object
{}
Description: Additional labels
reportsController.serviceMonitor.namespace📜
Type: string
nil
Description: Override namespace
reportsController.serviceMonitor.interval📜
Type: string
"30s"
Description: Interval to scrape metrics
reportsController.serviceMonitor.scrapeTimeout📜
Type: string
"25s"
Description: Timeout if metrics can’t be retrieved in given time interval
reportsController.serviceMonitor.secure📜
Type: bool
false
Description: Is TLS required for endpoint
reportsController.serviceMonitor.tlsConfig📜
Type: object
{}
Description: TLS Configuration for endpoint
reportsController.serviceMonitor.relabelings📜
Type: list
[]
Description: RelabelConfigs to apply to samples before scraping
reportsController.serviceMonitor.metricRelabelings📜
Type: list
[]
Description: MetricRelabelConfigs to apply to samples before ingestion.
reportsController.tracing.enabled📜
Type: bool
false
Description: Enable tracing
reportsController.tracing.address📜
Type: string
nil
Description: Traces receiver address
reportsController.tracing.port📜
Type: string
nil
Description: Traces receiver port
reportsController.tracing.creds📜
Type: string
nil
Description: Traces receiver credentials
reportsController.metering.disabled📜
Type: bool
false
Description: Disable metrics export
reportsController.metering.config📜
Type: string
"prometheus"
Description: Otel configuration, can be prometheus or grpc
reportsController.metering.port📜
Type: int
8000
Description: Prometheus endpoint port
reportsController.metering.collector📜
Type: string
nil
Description: Otel collector endpoint
reportsController.metering.creds📜
Type: string
nil
Description: Otel collector credentials
reportsController.server📜
Type: object
port: 9443
Description: reportsController server port in case you are using hostNetwork: true, you might want to change the port the reportsController is listening to
reportsController.profiling.enabled📜
Type: bool
false
Description: Enable profiling
reportsController.profiling.port📜
Type: int
6060
Description: Profiling endpoint port
reportsController.profiling.serviceType📜
Type: string
"ClusterIP"
Description: Service type.
reportsController.profiling.nodePort📜
Type: string
nil
Description: Service node port. Only used if type is NodePort.
networkPolicies.enabled📜
Type: bool
false
networkPolicies.controlPlaneCidr📜
Type: string
"0.0.0.0/0"
networkPolicies.externalRegistries.allowEgress📜
Type: bool
false
networkPolicies.externalRegistries.ports📜
Type: list
[]
networkPolicies.allowExternalRegistryEgress📜
Type: bool
false
networkPolicies.additionalPolicies📜
Type: list
[]
istio.enabled📜
Type: bool
false
openshift📜
Type: bool
false
bbtests.enabled📜
Type: bool
false
bbtests.scripts.image📜
Type: string
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.10"
bbtests.scripts.additionalVolumeMounts[0].name📜
Type: string
"kyverno-bbtest-manifest"
bbtests.scripts.additionalVolumeMounts[0].mountPath📜
Type: string
"/yaml"
bbtests.scripts.additionalVolumes[0].name📜
Type: string
"kyverno-bbtest-manifest"
bbtests.scripts.additionalVolumes[0].configMap.name📜
Type: string
"kyverno-bbtest-manifest"