Skip to content

kyverno values.yaml📜

global.image.registry📜

Type: string

Default value
"registry1.dso.mil"

Description: Global value that allows to set a single image registry across all deployments. When set, it will override any values set under .image.registry across the chart.

global.imagePullSecrets[0].name📜

Type: string

Default value
"private-registry"

global.resyncPeriod📜

Type: string

Default value
"15m"

Description: Resync period for informers

global.caCertificates.data📜

Type: string

Default value
nil

Description: Global CA certificates to use with Kyverno deployments This value is expected to be one large string of CA certificates Individual controller values will override this global value

global.caCertificates.volume📜

Type: object

Default value
{}

Description: Global value to set single volume to be mounted for CA certificates for all deployments. Not used when .Values.global.caCertificates.data is defined Individual controller values will override this global value

global.extraEnvVars📜

Type: list

Default value
[]

Description: Additional container environment variables to apply to all containers and init containers

global.nodeSelector📜

Type: object

Default value
{}

Description: Global node labels for pod assignment. Non-global values will override the global value.

global.tolerations📜

Type: list

Default value
[]

Description: Global List of node taints to tolerate. Non-global values will override the global value.

nameOverride📜

Type: string

Default value
nil

Description: Override the name of the chart

fullnameOverride📜

Type: string

Default value
nil

Description: Override the expanded name of the chart

namespaceOverride📜

Type: string

Default value
nil

Description: Override the namespace the chart deploys to

upgrade.fromV2📜

Type: bool

Default value
true

Description: Upgrading from v2 to v3 is not allowed by default, set this to true once changes have been reviewed.

apiVersionOverride.podDisruptionBudget📜

Type: string

Default value
"policy/v1"

Description: Override api version used to create PodDisruptionBudget`` resources. When not specified the chart will check ifpolicy/v1/PodDisruptionBudget` is available to determine the api version automatically.

crds.install📜

Type: bool

Default value
true

Description: Whether to have Helm install the Kyverno CRDs, if the CRDs are not installed by Helm, they must be added before policies can be created

crds.groups.kyverno📜

Type: object

Default value
cleanuppolicies: true
clustercleanuppolicies: true
clusterpolicies: true
globalcontextentries: true
policies: true
policyexceptions: true
updaterequests: true

Description: Install CRDs in group kyverno.io

crds.groups.reports📜

Type: object

Default value
clusterephemeralreports: true
ephemeralreports: true

Description: Install CRDs in group reports.kyverno.io

crds.groups.wgpolicyk8s📜

Type: object

Default value
clusterpolicyreports: true
policyreports: true

Description: Install CRDs in group wgpolicyk8s.io

crds.annotations📜

Type: object

Default value
{}

Description: Additional CRDs annotations

crds.customLabels📜

Type: object

Default value
{}

Description: Additional CRDs labels

crds.migration.enabled📜

Type: bool

Default value
true

Description: Enable CRDs migration using helm post upgrade hook

crds.migration.resources📜

Type: list

Default value
- cleanuppolicies.kyverno.io
- clustercleanuppolicies.kyverno.io
- clusterpolicies.kyverno.io
- globalcontextentries.kyverno.io
- policies.kyverno.io
- policyexceptions.kyverno.io
- updaterequests.kyverno.io

Description: Resources to migrate

crds.migration.image.registry📜

Type: string

Default value
nil

Description: Image registry

crds.migration.image.defaultRegistry📜

Type: string

Default value
"registry1.dso.mil"

crds.migration.image.repository📜

Type: string

Default value
"ironbank/opensource/kyverno/kyvernocli"

Description: Image repository

crds.migration.image.tag📜

Type: string

Default value
"v1.13.2"

Description: Image tag Defaults to appVersion in Chart.yaml if omitted

crds.migration.image.pullPolicy📜

Type: string

Default value
nil

Description: Image pull policy

crds.migration.imagePullSecrets[0].name📜

Type: string

Default value
"private-registry"

crds.podSecurityContext📜

Type: object

Default value
nodeAffinity: {}
nodeSelector: {}
podAffinity: {}
podAnnotations: {}
podAntiAffinity: {}
podLabels: {}
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
    - ALL
  privileged: false
  readOnlyRootFilesystem: true
  runAsGroup: 65534
  runAsNonRoot: true
  runAsUser: 65534
  seccompProfile:
    type: RuntimeDefault
tolerations: []

Description: Security context for the pod

crds.podSecurityContext.nodeSelector📜

Type: object

Default value
{}

Description: Node labels for pod assignment

crds.podSecurityContext.tolerations📜

Type: list

Default value
[]

Description: List of node taints to tolerate

crds.podSecurityContext.podAntiAffinity📜

Type: object

Default value
{}

Description: Pod anti affinity constraints.

crds.podSecurityContext.podAffinity📜

Type: object

Default value
{}

Description: Pod affinity constraints.

crds.podSecurityContext.podLabels📜

Type: object

Default value
{}

Description: Pod labels.

crds.podSecurityContext.podAnnotations📜

Type: object

Default value
{}

Description: Pod annotations.

crds.podSecurityContext.nodeAffinity📜

Type: object

Default value
{}

Description: Node affinity constraints.

crds.podSecurityContext.securityContext📜

Type: object

Default value
allowPrivilegeEscalation: false
capabilities:
  drop:
  - ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 65534
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
  type: RuntimeDefault

Description: Security context for the hook containers

config.create📜

Type: bool

Default value
true

Description: Create the configmap.

config.preserve📜

Type: bool

Default value
true

Description: Preserve the configmap settings during upgrade.

config.name📜

Type: string

Default value
nil

Description: The configmap name (required if create is false).

config.annotations📜

Type: object

Default value
{}

Description: Additional annotations to add to the configmap.

config.enableDefaultRegistryMutation📜

Type: bool

Default value
true

Description: Enable registry mutation for container images. Enabled by default.

config.defaultRegistry📜

Type: string

Default value
"registry1.dso.mil"

Description: The registry hostname used for the image mutation.

config.excludeGroups📜

Type: list

Default value
- system:nodes

Description: Exclude groups

config.excludeUsernames📜

Type: list

Default value
[]

Description: Exclude usernames

config.excludeRoles📜

Type: list

Default value
[]

Description: Exclude roles

config.excludeClusterRoles📜

Type: list

Default value
[]

Description: Exclude roles

config.generateSuccessEvents📜

Type: bool

Default value
false

Description: Generate success events.

config.updateRequestThreshold📜

Type: int

Default value
1000

Description: Sets the threshold for the total number of UpdateRequests generated for mutateExisitng and generate policies.

config.webhooks📜

Type: object

Default value
namespaceSelector:
  matchExpressions:
  - key: kubernetes.io/metadata.name
    operator: NotIn
    values:
    - kube-system

Description: Defines the namespaceSelector/objectSelector in the webhook configurations. The Kyverno namespace is excluded if excludeKyvernoNamespace is true (default)

config.webhookAnnotations📜

Type: object

Default value
admissions.enforcer/disabled: 'true'

Description: Defines annotations to set on webhook configurations.

config.webhookLabels📜

Type: object

Default value
{}

Description: Defines labels to set on webhook configurations.

config.matchConditions📜

Type: list

Default value
[]

Description: Defines match conditions to set on webhook configurations (requires Kubernetes 1.27+).

config.excludeKyvernoNamespace📜

Type: bool

Default value
true

Description: Exclude Kyverno namespace Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters

config.resourceFiltersExcludeNamespaces📜

Type: list

Default value
[]

Description: resourceFilter namespace exclude Namespaces to exclude from the default resourceFilters

config.resourceFiltersExclude📜

Type: list

Default value
[]

Description: resourceFilters exclude list Items to exclude from config.resourceFilters

config.resourceFiltersIncludeNamespaces📜

Type: list

Default value
[]

Description: resourceFilter namespace include Namespaces to include to the default resourceFilters

config.resourceFiltersInclude📜

Type: list

Default value
[]

Description: resourceFilters include list Items to include to config.resourceFilters

metricsConfig.create📜

Type: bool

Default value
true

Description: Create the configmap.

metricsConfig.name📜

Type: string

Default value
nil

Description: The configmap name (required if create is false).

metricsConfig.annotations📜

Type: object

Default value
{}

Description: Additional annotations to add to the configmap.

metricsConfig.namespaces.include📜

Type: list

Default value
[]

Description: List of namespaces to capture metrics for.

metricsConfig.namespaces.exclude📜

Type: list

Default value
[]

Description: list of namespaces to NOT capture metrics for.

metricsConfig.metricsRefreshInterval📜

Type: string

Default value
nil

Description: Rate at which metrics should reset so as to clean up the memory footprint of kyverno metrics, if you might be expecting high memory footprint of Kyverno’s metrics. Default: 0, no refresh of metrics. WARNING: This flag is not working since Kyverno 1.8.0

metricsConfig.bucketBoundaries📜

Type: list

Default value
- 0.005
- 0.01
- 0.025
- 0.05
- 0.1
- 0.25
- 0.5
- 1
- 2.5
- 5
- 10
- 15
- 20
- 25
- 30

Description: Configures the bucket boundaries for all Histogram metrics, changing this configuration requires restart of the kyverno admission controller

metricsConfig.metricsExposure.kyverno_policy_execution_duration_seconds.disabledLabelDimensions[0]📜

Type: string

Default value
"resource_namespace"

metricsConfig.metricsExposure.kyverno_policy_execution_duration_seconds.disabledLabelDimensions[1]📜

Type: string

Default value
"resource_request_operation"

metricsConfig.metricsExposure.kyverno_admission_review_duration_seconds.disabledLabelDimensions[0]📜

Type: string

Default value
"resource_namespace"

metricsConfig.metricsExposure.kyverno_policy_rule_info_total.disabledLabelDimensions[0]📜

Type: string

Default value
"resource_namespace"

metricsConfig.metricsExposure.kyverno_policy_rule_info_total.disabledLabelDimensions[1]📜

Type: string

Default value
"policy_namespace"

metricsConfig.metricsExposure.kyverno_policy_results_total.disabledLabelDimensions[0]📜

Type: string

Default value
"resource_namespace"

metricsConfig.metricsExposure.kyverno_policy_results_total.disabledLabelDimensions[1]📜

Type: string

Default value
"policy_namespace"

metricsConfig.metricsExposure.kyverno_admission_requests_total.disabledLabelDimensions[0]📜

Type: string

Default value
"resource_namespace"

metricsConfig.metricsExposure.kyverno_cleanup_controller_deletedobjects_total.disabledLabelDimensions[0]📜

Type: string

Default value
"resource_namespace"

metricsConfig.metricsExposure.kyverno_cleanup_controller_deletedobjects_total.disabledLabelDimensions[1]📜

Type: string

Default value
"policy_namespace"

imagePullSecrets📜

Type: object

Default value
{}

Description: Image pull secrets for image verification policies, this will define the --imagePullSecrets argument

existingImagePullSecrets📜

Type: list

Default value
- private-registry

Description: Existing Image pull secrets for image verification policies, this will define the --imagePullSecrets argument

test.sleep📜

Type: int

Default value
20

Description: Sleep time before running test

test.image.registry📜

Type: string

Default value
"registry1.dso.mil"

Description: Image registry

test.image.repository📜

Type: string

Default value
"ironbank/redhat/ubi/ubi9-minimal"

Description: Image repository

test.image.tag📜

Type: string

Default value
"9.5"

Description: Image tag Defaults to latest if omitted

test.image.pullPolicy📜

Type: string

Default value
nil

Description: Image pull policy Defaults to image.pullPolicy if omitted

test.imagePullSecrets📜

Type: list

Default value
- name: private-registry

Description: Image pull secrets

test.resources.limits📜

Type: object

Default value
cpu: 100m
memory: 256Mi

Description: Pod resource limits

test.resources.requests📜

Type: object

Default value
cpu: 10m
memory: 64Mi

Description: Pod resource requests

test.podSecurityContext📜

Type: object

Default value
runAsGroup: 65534
runAsNonRoot: true
runAsUser: 65534

Description: Security context for the test pod

test.securityContext📜

Type: object

Default value
allowPrivilegeEscalation: false
capabilities:
  drop:
  - ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 65534
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
  type: RuntimeDefault

Description: Security context for the test containers

customLabels📜

Type: object

Default value
{}

Description: Additional labels

webhooksCleanup.enabled📜

Type: bool

Default value
true

Description: Create a helm pre-delete hook to cleanup webhooks.

webhooksCleanup.autoDeleteWebhooks.enabled📜

Type: bool

Default value
false

Description: Allow webhooks controller to delete webhooks using finalizers

webhooksCleanup.image.registry📜

Type: string

Default value
"registry1.dso.mil"

Description: Image registry

webhooksCleanup.image.repository📜

Type: string

Default value
"ironbank/opensource/kubernetes/kubectl"

Description: Image repository

webhooksCleanup.image.tag📜

Type: string

Default value
"v1.30.6"

Description: Image tag Defaults to latest if omitted

webhooksCleanup.image.pullPolicy📜

Type: string

Default value
nil

Description: Image pull policy Defaults to image.pullPolicy if omitted

webhooksCleanup.imagePullSecrets📜

Type: list

Default value
- name: private-registry

Description: Image pull secrets

webhooksCleanup.automountServiceAccountToken.enabled📜

Type: bool

Default value
true

webhooksCleanup.podSecurityContext📜

Type: object

Default value
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001

Description: Security context for the pod

webhooksCleanup.nodeSelector📜

Type: object

Default value
{}

Description: Node labels for pod assignment

webhooksCleanup.tolerations📜

Type: list

Default value
[]

Description: List of node taints to tolerate

webhooksCleanup.podAntiAffinity📜

Type: object

Default value
{}

Description: Pod anti affinity constraints.

webhooksCleanup.podAffinity📜

Type: object

Default value
{}

Description: Pod affinity constraints.

webhooksCleanup.podLabels📜

Type: object

Default value
{}

Description: Pod labels.

webhooksCleanup.podAnnotations📜

Type: object

Default value
{}

Description: Pod annotations.

webhooksCleanup.nodeAffinity📜

Type: object

Default value
{}

Description: Node affinity constraints.

webhooksCleanup.securityContext📜

Type: object

Default value
allowPrivilegeEscalation: false
capabilities:
  drop:
  - ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001
seccompProfile:
  type: RuntimeDefault

Description: Security context for the hook containers

webhooksCleanup.resources📜

Type: object

Default value
limits:
  cpu: '0.5'
  memory: 256Mi
requests:
  cpu: '0.5'
  memory: 256Mi

Description: Resource limits for the containers

policyReportsCleanup.enabled📜

Type: bool

Default value
false

Description: Create a helm post-upgrade hook to cleanup the old policy reports.

policyReportsCleanup.automountServiceAccountToken.enabled📜

Type: bool

Default value
true

policyReportsCleanup.image.registry📜

Type: string

Default value
"registry1.dso.mil"

Description: Image registry

policyReportsCleanup.image.repository📜

Type: string

Default value
"ironbank/opensource/kubernetes/kubectl"

Description: Image repository

policyReportsCleanup.image.tag📜

Type: string

Default value
"v1.30.6"

Description: Image tag Defaults to latest if omitted

policyReportsCleanup.image.pullPolicy📜

Type: string

Default value
nil

Description: Image pull policy Defaults to image.pullPolicy if omitted

policyReportsCleanup.imagePullSecrets📜

Type: list

Default value
- name: private-registry

Description: Image pull secrets

policyReportsCleanup.podSecurityContext📜

Type: object

Default value
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001

Description: Security context for the pod

policyReportsCleanup.nodeSelector📜

Type: object

Default value
{}

Description: Node labels for pod assignment

policyReportsCleanup.tolerations📜

Type: list

Default value
[]

Description: List of node taints to tolerate

policyReportsCleanup.podAntiAffinity📜

Type: object

Default value
{}

Description: Pod anti affinity constraints.

policyReportsCleanup.podAffinity📜

Type: object

Default value
{}

Description: Pod affinity constraints.

policyReportsCleanup.podLabels📜

Type: object

Default value
{}

Description: Pod labels.

policyReportsCleanup.podAnnotations📜

Type: object

Default value
{}

Description: Pod annotations.

policyReportsCleanup.nodeAffinity📜

Type: object

Default value
{}

Description: Node affinity constraints.

policyReportsCleanup.securityContext📜

Type: object

Default value
allowPrivilegeEscalation: false
capabilities:
  drop:
  - ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001
seccompProfile:
  type: RuntimeDefault

Description: Security context for the hook containers

policyReportsCleanup.resources📜

Type: object

Default value
limits:
  cpu: '1'
  memory: 512Mi
requests:
  cpu: '0.5'
  memory: 256Mi

Description: Resource limits for the containers

grafana.enabled📜

Type: bool

Default value
false

Description: Enable grafana dashboard creation.

grafana.configMapName📜

Type: string

Default value
"{{ include \"kyverno.fullname\" . }}-grafana"

Description: Configmap name template.

grafana.namespace📜

Type: string

Default value
nil

Description: Namespace to create the grafana dashboard configmap. If not set, it will be created in the same namespace where the chart is deployed.

grafana.annotations📜

Type: object

Default value
{}

Description: Grafana dashboard configmap annotations.

grafana.labels📜

Type: object

Default value
grafana_dashboard: '1'

Description: Grafana dashboard configmap labels

grafana.grafanaDashboard📜

Type: object

Default value
allowCrossNamespaceImport: true
create: false
folder: kyverno
matchLabels:
  dashboards: grafana

Description: create GrafanaDashboard custom resource referencing to the configMap. according to https://grafana-operator.github.io/grafana-operator/docs/examples/dashboard_from_configmap/readme/

features.admissionReports.enabled📜

Type: bool

Default value
true

Description: Enables the feature

features.aggregateReports.enabled📜

Type: bool

Default value
true

Description: Enables the feature

features.policyReports.enabled📜

Type: bool

Default value
true

Description: Enables the feature

features.validatingAdmissionPolicyReports.enabled📜

Type: bool

Default value
false

Description: Enables the feature

features.reporting.validate📜

Type: bool

Default value
true

Description: Enables the feature

features.reporting.mutate📜

Type: bool

Default value
true

Description: Enables the feature

features.reporting.mutateExisting📜

Type: bool

Default value
true

Description: Enables the feature

features.reporting.imageVerify📜

Type: bool

Default value
true

Description: Enables the feature

features.reporting.generate📜

Type: bool

Default value
true

Description: Enables the feature

features.autoUpdateWebhooks.enabled📜

Type: bool

Default value
true

Description: Enables the feature

features.backgroundScan.enabled📜

Type: bool

Default value
true

Description: Enables the feature

features.backgroundScan.backgroundScanWorkers📜

Type: int

Default value
2

Description: Number of background scan workers

features.backgroundScan.backgroundScanInterval📜

Type: string

Default value
"1h"

Description: Background scan interval

features.backgroundScan.skipResourceFilters📜

Type: bool

Default value
true

Description: Skips resource filters in background scan

features.configMapCaching.enabled📜

Type: bool

Default value
true

Description: Enables the feature

features.deferredLoading.enabled📜

Type: bool

Default value
true

Description: Enables the feature

features.dumpPayload.enabled📜

Type: bool

Default value
false

Description: Enables the feature

features.forceFailurePolicyIgnore.enabled📜

Type: bool

Default value
false

Description: Enables the feature

features.generateValidatingAdmissionPolicy.enabled📜

Type: bool

Default value
false

Description: Enables the feature

features.dumpPatches.enabled📜

Type: bool

Default value
false

Description: Enables the feature

features.globalContext.maxApiCallResponseLength📜

Type: int

Default value
2000000

Description: Maximum allowed response size from API Calls. A value of 0 bypasses checks (not recommended)

features.logging.format📜

Type: string

Default value
"text"

Description: Logging format

features.logging.verbosity📜

Type: int

Default value
2

Description: Logging verbosity

features.omitEvents.eventTypes📜

Type: list

Default value
- PolicyApplied
- PolicySkipped

Description: Events which should not be emitted (possible values PolicyViolation, PolicyApplied, PolicyError, and PolicySkipped)

features.policyExceptions.enabled📜

Type: bool

Default value
false

Description: Enables the feature

features.policyExceptions.namespace📜

Type: string

Default value
"kyverno"

Description: Restrict policy exceptions to a single namespace

features.protectManagedResources.enabled📜

Type: bool

Default value
false

Description: Enables the feature

features.registryClient.allowInsecure📜

Type: bool

Default value
false

Description: Allow insecure registry

features.registryClient.credentialHelpers📜

Type: list

Default value
- default
- google
- amazon
- azure
- github

Description: Enable registry client helpers

features.ttlController.reconciliationInterval📜

Type: string

Default value
"1m"

Description: Reconciliation interval for the label based cleanup manager

features.tuf.enabled📜

Type: bool

Default value
false

Description: Enables the feature

features.tuf.root📜

Type: string

Default value
nil

Description: Path to Tuf root

features.tuf.rootRaw📜

Type: string

Default value
nil

Description: Raw Tuf root

features.tuf.mirror📜

Type: string

Default value
nil

Description: Tuf mirror

cleanupJobs.rbac.serviceAccount.automountServiceAccountToken.enabled📜

Type: bool

Default value
false

cleanupJobs.admissionReports.enabled📜

Type: bool

Default value
true

Description: Enable cleanup cronjob

cleanupJobs.admissionReports.automountServiceAccountToken.enabled📜

Type: bool

Default value
true

cleanupJobs.admissionReports.backoffLimit📜

Type: int

Default value
3

Description: Maximum number of retries before considering a Job as failed. Defaults to 3.

cleanupJobs.admissionReports.image.registry📜

Type: string

Default value
"registry1.dso.mil"

Description: Image registry

cleanupJobs.admissionReports.image.repository📜

Type: string

Default value
"ironbank/opensource/kubernetes/kubectl"

Description: Image repository

cleanupJobs.admissionReports.image.tag📜

Type: string

Default value
"v1.30.6"

Description: Image tag Defaults to latest if omitted

cleanupJobs.admissionReports.image.pullPolicy📜

Type: string

Default value
nil

Description: Image pull policy Defaults to image.pullPolicy if omitted

cleanupJobs.admissionReports.imagePullSecrets📜

Type: list

Default value
- name: private-registry

Description: Image pull secrets

cleanupJobs.admissionReports.schedule📜

Type: string

Default value
"*/10 * * * *"

Description: Cronjob schedule

cleanupJobs.admissionReports.threshold📜

Type: int

Default value
10000

Description: Reports threshold, if number of reports are above this value the cronjob will start deleting them

cleanupJobs.admissionReports.history📜

Type: object

Default value
failure: 1
success: 1

Description: Cronjob history

cleanupJobs.admissionReports.podSecurityContext📜

Type: object

Default value
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000

Description: Security context for the pod

cleanupJobs.admissionReports.securityContext📜

Type: object

Default value
allowPrivilegeEscalation: false
capabilities:
  drop:
  - ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
  type: RuntimeDefault

Description: Security context for the containers

cleanupJobs.admissionReports.priorityClassName📜

Type: string

Default value
""

Description: Pod PriorityClassName

cleanupJobs.admissionReports.resources📜

Type: object

Default value
{}

Description: Job resources

cleanupJobs.admissionReports.tolerations📜

Type: list

Default value
[]

Description: List of node taints to tolerate

cleanupJobs.admissionReports.nodeSelector📜

Type: object

Default value
{}

Description: Node labels for pod assignment

cleanupJobs.admissionReports.podAnnotations📜

Type: object

Default value
{}

Description: Pod Annotations

cleanupJobs.admissionReports.podLabels📜

Type: object

Default value
{}

Description: Pod labels

cleanupJobs.admissionReports.podAntiAffinity📜

Type: object

Default value
{}

Description: Pod anti affinity constraints.

cleanupJobs.admissionReports.podAffinity📜

Type: object

Default value
{}

Description: Pod affinity constraints.

cleanupJobs.admissionReports.nodeAffinity📜

Type: object

Default value
{}

Description: Node affinity constraints.

cleanupJobs.clusterAdmissionReports.enabled📜

Type: bool

Default value
true

Description: Enable cleanup cronjob

cleanupJobs.clusterAdmissionReports.automountServiceAccountToken.enabled📜

Type: bool

Default value
true

cleanupJobs.clusterAdmissionReports.backoffLimit📜

Type: int

Default value
3

Description: Maximum number of retries before considering a Job as failed. Defaults to 3.

cleanupJobs.clusterAdmissionReports.image.registry📜

Type: string

Default value
"registry1.dso.mil"

Description: Image registry

cleanupJobs.clusterAdmissionReports.image.repository📜

Type: string

Default value
"ironbank/opensource/kubernetes/kubectl"

Description: Image repository

cleanupJobs.clusterAdmissionReports.image.tag📜

Type: string

Default value
"v1.30.6"

Description: Image tag Defaults to latest if omitted

cleanupJobs.clusterAdmissionReports.image.pullPolicy📜

Type: string

Default value
nil

Description: Image pull policy Defaults to image.pullPolicy if omitted

cleanupJobs.clusterAdmissionReports.imagePullSecrets📜

Type: list

Default value
- name: private-registry

Description: Image pull secrets

cleanupJobs.clusterAdmissionReports.schedule📜

Type: string

Default value
"*/10 * * * *"

Description: Cronjob schedule

cleanupJobs.clusterAdmissionReports.threshold📜

Type: int

Default value
10000

Description: Reports threshold, if number of reports are above this value the cronjob will start deleting them

cleanupJobs.clusterAdmissionReports.history📜

Type: object

Default value
failure: 1
success: 1

Description: Cronjob history

cleanupJobs.clusterAdmissionReports.podSecurityContext📜

Type: object

Default value
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000

Description: Security context for the pod

cleanupJobs.clusterAdmissionReports.securityContext📜

Type: object

Default value
allowPrivilegeEscalation: false
capabilities:
  drop:
  - ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
  type: RuntimeDefault

Description: Security context for the containers

cleanupJobs.clusterAdmissionReports.priorityClassName📜

Type: string

Default value
""

Description: Pod PriorityClassName

cleanupJobs.clusterAdmissionReports.resources📜

Type: object

Default value
{}

Description: Job resources

cleanupJobs.clusterAdmissionReports.tolerations📜

Type: list

Default value
[]

Description: List of node taints to tolerate

cleanupJobs.clusterAdmissionReports.nodeSelector📜

Type: object

Default value
{}

Description: Node labels for pod assignment

cleanupJobs.clusterAdmissionReports.podAnnotations📜

Type: object

Default value
{}

Description: Pod Annotations

cleanupJobs.clusterAdmissionReports.podLabels📜

Type: object

Default value
{}

Description: Pod Labels

cleanupJobs.clusterAdmissionReports.podAntiAffinity📜

Type: object

Default value
{}

Description: Pod anti affinity constraints.

cleanupJobs.clusterAdmissionReports.podAffinity📜

Type: object

Default value
{}

Description: Pod affinity constraints.

cleanupJobs.clusterAdmissionReports.nodeAffinity📜

Type: object

Default value
{}

Description: Node affinity constraints.

cleanupJobs.updateRequests.enabled📜

Type: bool

Default value
true

Description: Enable cleanup cronjob

cleanupJobs.updateRequests.automountServiceAccountToken.enabled📜

Type: bool

Default value
true

cleanupJobs.updateRequests.backoffLimit📜

Type: int

Default value
3

Description: Maximum number of retries before considering a Job as failed. Defaults to 3.

cleanupJobs.updateRequests.ttlSecondsAfterFinished📜

Type: string

Default value
""

Description: Time until the pod from the cronjob is deleted

cleanupJobs.updateRequests.image.registry📜

Type: string

Default value
"registry1.dso.mil"

Description: Image registry

cleanupJobs.updateRequests.image.repository📜

Type: string

Default value
"ironbank/opensource/kubernetes/kubectl"

Description: Image repository

cleanupJobs.updateRequests.image.tag📜

Type: string

Default value
"v1.30.6"

Description: Image tag Defaults to latest if omitted

cleanupJobs.updateRequests.image.pullPolicy📜

Type: string

Default value
nil

Description: Image pull policy Defaults to image.pullPolicy if omitted

cleanupJobs.updateRequests.imagePullSecrets📜

Type: list

Default value
- name: private-registry

Description: Image pull secrets

cleanupJobs.updateRequests.schedule📜

Type: string

Default value
"*/10 * * * *"

Description: Cronjob schedule

cleanupJobs.updateRequests.threshold📜

Type: int

Default value
10000

Description: Reports threshold, if number of updateRequests are above this value the cronjob will start deleting them

cleanupJobs.updateRequests.history📜

Type: object

Default value
failure: 1
success: 1

Description: Cronjob history

cleanupJobs.updateRequests.podSecurityContext📜

Type: object

Default value
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000

Description: Security context for the pod

cleanupJobs.updateRequests.securityContext📜

Type: object

Default value
allowPrivilegeEscalation: false
capabilities:
  drop:
  - ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
  type: RuntimeDefault

Description: Security context for the containers

cleanupJobs.updateRequests.priorityClassName📜

Type: string

Default value
""

Description: Pod PriorityClassName

cleanupJobs.updateRequests.resources📜

Type: object

Default value
{}

Description: Job resources

cleanupJobs.updateRequests.tolerations📜

Type: list

Default value
[]

Description: List of node taints to tolerate

cleanupJobs.updateRequests.nodeSelector📜

Type: object

Default value
{}

Description: Node labels for pod assignment

cleanupJobs.updateRequests.podAnnotations📜

Type: object

Default value
{}

Description: Pod Annotations

cleanupJobs.updateRequests.podLabels📜

Type: object

Default value
{}

Description: Pod labels

cleanupJobs.updateRequests.podAntiAffinity📜

Type: object

Default value
{}

Description: Pod anti affinity constraints.

cleanupJobs.updateRequests.podAffinity📜

Type: object

Default value
{}

Description: Pod affinity constraints.

cleanupJobs.updateRequests.nodeAffinity📜

Type: object

Default value
{}

Description: Node affinity constraints.

cleanupJobs.ephemeralReports.enabled📜

Type: bool

Default value
true

Description: Enable cleanup cronjob

cleanupJobs.ephemeralReports.automountServiceAccountToken.enabled📜

Type: bool

Default value
true

cleanupJobs.ephemeralReports.backoffLimit📜

Type: int

Default value
3

Description: Maximum number of retries before considering a Job as failed. Defaults to 3.

cleanupJobs.ephemeralReports.ttlSecondsAfterFinished📜

Type: string

Default value
""

Description: Time until the pod from the cronjob is deleted

cleanupJobs.ephemeralReports.image.registry📜

Type: string

Default value
"registry1.dso.mil"

Description: Image registry

cleanupJobs.ephemeralReports.image.repository📜

Type: string

Default value
"ironbank/opensource/kubernetes/kubectl"

Description: Image repository

cleanupJobs.ephemeralReports.image.tag📜

Type: string

Default value
"v1.30.6"

Description: Image tag Defaults to latest if omitted

cleanupJobs.ephemeralReports.image.pullPolicy📜

Type: string

Default value
nil

Description: Image pull policy Defaults to image.pullPolicy if omitted

cleanupJobs.ephemeralReports.imagePullSecrets📜

Type: list

Default value
- name: private-registry

Description: Image pull secrets

cleanupJobs.ephemeralReports.schedule📜

Type: string

Default value
"*/10 * * * *"

Description: Cronjob schedule

cleanupJobs.ephemeralReports.threshold📜

Type: int

Default value
10000

Description: Reports threshold, if number of updateRequests are above this value the cronjob will start deleting them

cleanupJobs.ephemeralReports.history📜

Type: object

Default value
failure: 1
success: 1

Description: Cronjob history

cleanupJobs.ephemeralReports.podSecurityContext📜

Type: object

Default value
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001

Description: Security context for the pod

cleanupJobs.ephemeralReports.securityContext📜

Type: object

Default value
allowPrivilegeEscalation: false
capabilities:
  drop:
  - ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
  type: RuntimeDefault

Description: Security context for the containers

cleanupJobs.ephemeralReports.priorityClassName📜

Type: string

Default value
""

Description: Pod PriorityClassName

cleanupJobs.ephemeralReports.resources📜

Type: object

Default value
{}

Description: Job resources

cleanupJobs.ephemeralReports.tolerations📜

Type: list

Default value
[]

Description: List of node taints to tolerate

cleanupJobs.ephemeralReports.nodeSelector📜

Type: object

Default value
{}

Description: Node labels for pod assignment

cleanupJobs.ephemeralReports.podAnnotations📜

Type: object

Default value
{}

Description: Pod Annotations

cleanupJobs.ephemeralReports.podLabels📜

Type: object

Default value
{}

Description: Pod labels

cleanupJobs.ephemeralReports.podAntiAffinity📜

Type: object

Default value
{}

Description: Pod anti affinity constraints.

cleanupJobs.ephemeralReports.podAffinity📜

Type: object

Default value
{}

Description: Pod affinity constraints.

cleanupJobs.ephemeralReports.nodeAffinity📜

Type: object

Default value
{}

Description: Node affinity constraints.

cleanupJobs.clusterEphemeralReports.enabled📜

Type: bool

Default value
true

Description: Enable cleanup cronjob

cleanupJobs.clusterEphemeralReports.automountServiceAccountToken.enabled📜

Type: bool

Default value
true

cleanupJobs.clusterEphemeralReports.backoffLimit📜

Type: int

Default value
3

Description: Maximum number of retries before considering a Job as failed. Defaults to 3.

cleanupJobs.clusterEphemeralReports.ttlSecondsAfterFinished📜

Type: string

Default value
""

Description: Time until the pod from the cronjob is deleted

cleanupJobs.clusterEphemeralReports.image.registry📜

Type: string

Default value
"registry1.dso.mil"

Description: Image registry

cleanupJobs.clusterEphemeralReports.image.repository📜

Type: string

Default value
"ironbank/opensource/kubernetes/kubectl"

Description: Image repository

cleanupJobs.clusterEphemeralReports.image.tag📜

Type: string

Default value
"v1.30.6"

Description: Image tag Defaults to latest if omitted

cleanupJobs.clusterEphemeralReports.image.pullPolicy📜

Type: string

Default value
nil

Description: Image pull policy Defaults to image.pullPolicy if omitted

cleanupJobs.clusterEphemeralReports.imagePullSecrets📜

Type: list

Default value
- name: private-registry

Description: Image pull secrets

cleanupJobs.clusterEphemeralReports.schedule📜

Type: string

Default value
"*/10 * * * *"

Description: Cronjob schedule

cleanupJobs.clusterEphemeralReports.threshold📜

Type: int

Default value
10000

Description: Reports threshold, if number of reports are above this value the cronjob will start deleting them

cleanupJobs.clusterEphemeralReports.history📜

Type: object

Default value
failure: 1
success: 1

Description: Cronjob history

cleanupJobs.clusterEphemeralReports.podSecurityContext📜

Type: object

Default value
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001

Description: Security context for the pod

cleanupJobs.clusterEphemeralReports.securityContext📜

Type: object

Default value
allowPrivilegeEscalation: false
capabilities:
  drop:
  - ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
  type: RuntimeDefault

Description: Security context for the containers

cleanupJobs.clusterEphemeralReports.priorityClassName📜

Type: string

Default value
""

Description: Pod PriorityClassName

cleanupJobs.clusterEphemeralReports.resources📜

Type: object

Default value
{}

Description: Job resources

cleanupJobs.clusterEphemeralReports.tolerations📜

Type: list

Default value
[]

Description: List of node taints to tolerate

cleanupJobs.clusterEphemeralReports.nodeSelector📜

Type: object

Default value
{}

Description: Node labels for pod assignment

cleanupJobs.clusterEphemeralReports.podAnnotations📜

Type: object

Default value
{}

Description: Pod Annotations

cleanupJobs.clusterEphemeralReports.podLabels📜

Type: object

Default value
{}

Description: Pod Labels

cleanupJobs.clusterEphemeralReports.podAntiAffinity📜

Type: object

Default value
{}

Description: Pod anti affinity constraints.

cleanupJobs.clusterEphemeralReports.podAffinity📜

Type: object

Default value
{}

Description: Pod affinity constraints.

cleanupJobs.clusterEphemeralReports.nodeAffinity📜

Type: object

Default value
{}

Description: Node affinity constraints.

admissionController.featuresOverride📜

Type: object

Default value
admissionReports:
  backPressureThreshold: 1000

Description: Overrides features defined at the root level

admissionController.featuresOverride.admissionReports.backPressureThreshold📜

Type: int

Default value
1000

Description: Max number of admission reports allowed in flight until the admission controller stops creating new ones

admissionController.rbac.create📜

Type: bool

Default value
true

Description: Create RBAC resources

admissionController.rbac.createViewRoleBinding📜

Type: bool

Default value
true

Description: Create rolebinding to view role

admissionController.rbac.viewRoleName📜

Type: string

Default value
"view"

Description: The view role to use in the rolebinding

admissionController.rbac.serviceAccount.name📜

Type: string

Default value
nil

Description: The ServiceAccount name

admissionController.rbac.serviceAccount.annotations📜

Type: object

Default value
{}

Description: Annotations for the ServiceAccount

admissionController.rbac.serviceAccount.automountServiceAccountToken.enabled📜

Type: bool

Default value
false

admissionController.rbac.deployment.automountServiceAccountToken.enabled📜

Type: bool

Default value
true

admissionController.rbac.clusterRole.extraResources📜

Type: list

Default value
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch

Description: Extra resource permissions to add in the cluster role

admissionController.createSelfSignedCert📜

Type: bool

Default value
false

Description: Create self-signed certificates at deployment time. The certificates won’t be automatically renewed if this is set to true.

admissionController.replicas📜

Type: int

Default value
3

Description: Desired number of pods

admissionController.revisionHistoryLimit📜

Type: int

Default value
10

Description: The number of revisions to keep

admissionController.resyncPeriod📜

Type: string

Default value
"15m"

Description: Resync period for informers

admissionController.podLabels📜

Type: object

Default value
{}

Description: Additional labels to add to each pod

admissionController.podAnnotations📜

Type: object

Default value
{}

Description: Additional annotations to add to each pod

admissionController.annotations📜

Type: object

Default value
{}

Description: Deployment annotations.

admissionController.priorityClassName📜

Type: string

Default value
""

Description: Optional priority class

admissionController.apiPriorityAndFairness📜

Type: bool

Default value
false

Description: Change apiPriorityAndFairness to true if you want to insulate the API calls made by Kyverno admission controller activities. This will help ensure Kyverno stability in busy clusters. Ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/

admissionController.hostNetwork📜

Type: bool

Default value
false

Description: Change hostNetwork to true when you want the pod to share its host’s network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the dnsPolicy accordingly as well to suit the host network mode.

admissionController.webhookServer📜

Type: object

Default value
port: 9443

Description: admissionController webhook server port in case you are using hostNetwork: true, you might want to change the port the webhookServer is listening to

admissionController.dnsPolicy📜

Type: string

Default value
"ClusterFirst"

Description: dnsPolicy determines the manner in which DNS resolution happens in the cluster. In case of hostNetwork: true, usually, the dnsPolicy is suitable to be ClusterFirstWithHostNet. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.

admissionController.nodeSelector📜

Type: object

Default value
{}

Description: Node labels for pod assignment

admissionController.tolerations📜

Type: list

Default value
[]

Description: List of node taints to tolerate

admissionController.antiAffinity.enabled📜

Type: bool

Default value
true

Description: Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node.

admissionController.podAffinity📜

Type: object

Default value
{}

Description: Pod affinity constraints.

admissionController.nodeAffinity📜

Type: object

Default value
{}

Description: Node affinity constraints.

admissionController.topologySpreadConstraints📜

Type: list

Default value
[]

Description: Topology spread constraints.

admissionController.podSecurityContext📜

Type: object

Default value
runAsGroup: 10001
runAsNonRoot: true
runAsUser: 10001

Description: Security context for the pod

admissionController.podDisruptionBudget.enabled📜

Type: bool

Default value
false

Description: Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.

admissionController.podDisruptionBudget.minAvailable📜

Type: int

Default value
1

Description: Configures the minimum available pods for disruptions. Cannot be used if maxUnavailable is set.

admissionController.podDisruptionBudget.maxUnavailable📜

Type: string

Default value
nil

Description: Configures the maximum unavailable pods for disruptions. Cannot be used if minAvailable is set.

admissionController.tufRootMountPath📜

Type: string

Default value
"/.sigstore"

Description: A writable volume to use for the TUF root initialization.

admissionController.sigstoreVolume📜

Type: object

Default value
emptyDir: {}

Description: Volume to be mounted in pods for TUF/cosign work.

admissionController.caCertificates.data📜

Type: string

Default value
nil

Description: CA certificates to use with Kyverno deployments This value is expected to be one large string of CA certificates

admissionController.caCertificates.volume📜

Type: object

Default value
{}

Description: Volume to be mounted for CA certificates Not used when .Values.admissionController.caCertificates.data is defined

admissionController.imagePullSecrets📜

Type: list

Default value
- name: private-registry

Description: Image pull secrets

admissionController.initContainer.image.registry📜

Type: string

Default value
nil

Description: Image registry

admissionController.initContainer.image.defaultRegistry📜

Type: string

Default value
"registry1.dso.mil"

admissionController.initContainer.image.repository📜

Type: string

Default value
"ironbank/opensource/kyverno/kyvernopre"

Description: Image repository

admissionController.initContainer.image.tag📜

Type: string

Default value
"v1.13.2"

Description: Image tag If missing, defaults to image.tag

admissionController.initContainer.image.pullPolicy📜

Type: string

Default value
nil

Description: Image pull policy If missing, defaults to image.pullPolicy

admissionController.initContainer.resources.limits📜

Type: object

Default value
cpu: 100m
memory: 256Mi

Description: Pod resource limits

admissionController.initContainer.resources.requests📜

Type: object

Default value
cpu: 10m
memory: 64Mi

Description: Pod resource requests

admissionController.initContainer.securityContext📜

Type: object

Default value
allowPrivilegeEscalation: false
capabilities:
  drop:
  - ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 10001
runAsNonRoot: true
runAsUser: 10001
seccompProfile:
  type: RuntimeDefault

Description: Container security context

admissionController.initContainer.extraArgs📜

Type: object

Default value
{}

Description: Additional container args.

admissionController.initContainer.extraEnvVars📜

Type: list

Default value
[]

Description: Additional container environment variables.

admissionController.container.image.registry📜

Type: string

Default value
nil

Description: Image registry

admissionController.container.image.defaultRegistry📜

Type: string

Default value
"registry1.dso.mil"

admissionController.container.image.repository📜

Type: string

Default value
"ironbank/opensource/kyverno"

Description: Image repository

admissionController.container.image.tag📜

Type: string

Default value
"v1.13.2"

Description: Image tag Defaults to appVersion in Chart.yaml if omitted

admissionController.container.image.pullPolicy📜

Type: string

Default value
"IfNotPresent"

Description: Image pull policy

admissionController.container.imagePullSecrets📜

Type: list

Default value
- name: private-registry

Description: Image pull secrets

admissionController.container.resources.limits📜

Type: object

Default value
cpu: 500m
memory: 512Mi

Description: Pod resource limits

admissionController.container.resources.requests📜

Type: object

Default value
cpu: 500m
memory: 512Mi

Description: Pod resource requests

admissionController.container.securityContext📜

Type: object

Default value
allowPrivilegeEscalation: false
capabilities:
  drop:
  - ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 10001
runAsNonRoot: true
runAsUser: 10001
seccompProfile:
  type: RuntimeDefault

Description: Container security context

admissionController.container.extraArgs📜

Type: object

Default value
{}

Description: Additional container args.

admissionController.container.extraEnvVars📜

Type: list

Default value
[]

Description: Additional container environment variables.

admissionController.extraInitContainers📜

Type: list

Default value
[]

Description: Array of extra init containers

admissionController.extraContainers📜

Type: list

Default value
[]

Description: Array of extra containers to run alongside kyverno

admissionController.service.port📜

Type: int

Default value
443

Description: Service port.

admissionController.service.type📜

Type: string

Default value
"ClusterIP"

Description: Service type.

admissionController.service.nodePort📜

Type: string

Default value
nil

Description: Service node port. Only used if type is NodePort.

admissionController.service.annotations📜

Type: object

Default value
{}

Description: Service annotations.

admissionController.metricsService.create📜

Type: bool

Default value
true

Description: Create service.

admissionController.metricsService.port📜

Type: int

Default value
8000

Description: Service port. Kyverno’s metrics server will be exposed at this port.

admissionController.metricsService.type📜

Type: string

Default value
"ClusterIP"

Description: Service type.

admissionController.metricsService.nodePort📜

Type: string

Default value
nil

Description: Service node port. Only used if type is NodePort.

admissionController.metricsService.annotations📜

Type: object

Default value
{}

Description: Service annotations.

admissionController.networkPolicy.enabled📜

Type: bool

Default value
false

Description: When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.

admissionController.networkPolicy.ingressFrom📜

Type: list

Default value
[]

Description: A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.

admissionController.serviceMonitor.enabled📜

Type: bool

Default value
false

Description: Create a ServiceMonitor to collect Prometheus metrics.

admissionController.serviceMonitor.additionalLabels📜

Type: object

Default value
{}

Description: Additional labels

admissionController.serviceMonitor.namespace📜

Type: string

Default value
nil

Description: Override namespace

admissionController.serviceMonitor.interval📜

Type: string

Default value
"30s"

Description: Interval to scrape metrics

admissionController.serviceMonitor.scrapeTimeout📜

Type: string

Default value
"25s"

Description: Timeout if metrics can’t be retrieved in given time interval

admissionController.serviceMonitor.secure📜

Type: bool

Default value
false

Description: Is TLS required for endpoint

admissionController.serviceMonitor.tlsConfig📜

Type: object

Default value
{}

Description: TLS Configuration for endpoint

admissionController.serviceMonitor.relabelings📜

Type: list

Default value
[]

Description: RelabelConfigs to apply to samples before scraping

admissionController.serviceMonitor.metricRelabelings📜

Type: list

Default value
[]

Description: MetricRelabelConfigs to apply to samples before ingestion.

admissionController.tracing.enabled📜

Type: bool

Default value
false

Description: Enable tracing

admissionController.tracing.address📜

Type: string

Default value
nil

Description: Traces receiver address

admissionController.tracing.port📜

Type: string

Default value
nil

Description: Traces receiver port

admissionController.tracing.creds📜

Type: string

Default value
""

Description: Traces receiver credentials

admissionController.metering.disabled📜

Type: bool

Default value
false

Description: Disable metrics export

admissionController.metering.config📜

Type: string

Default value
"prometheus"

Description: Otel configuration, can be prometheus or grpc

admissionController.metering.port📜

Type: int

Default value
8000

Description: Prometheus endpoint port

admissionController.metering.collector📜

Type: string

Default value
""

Description: Otel collector endpoint

admissionController.metering.creds📜

Type: string

Default value
""

Description: Otel collector credentials

admissionController.profiling.enabled📜

Type: bool

Default value
false

Description: Enable profiling

admissionController.profiling.port📜

Type: int

Default value
6060

Description: Profiling endpoint port

admissionController.profiling.serviceType📜

Type: string

Default value
"ClusterIP"

Description: Service type.

admissionController.profiling.nodePort📜

Type: string

Default value
nil

Description: Service node port. Only used if type is NodePort.

backgroundController.featuresOverride📜

Type: object

Default value
{}

Description: Overrides features defined at the root level

backgroundController.enabled📜

Type: bool

Default value
true

Description: Enable background controller.

backgroundController.rbac.create📜

Type: bool

Default value
true

Description: Create RBAC resources

backgroundController.rbac.createViewRoleBinding📜

Type: bool

Default value
true

Description: Create rolebinding to view role

backgroundController.rbac.viewRoleName📜

Type: string

Default value
"view"

Description: The view role to use in the rolebinding

backgroundController.rbac.serviceAccount.name📜

Type: string

Default value
nil

Description: Service account name

backgroundController.rbac.serviceAccount.annotations📜

Type: object

Default value
{}

Description: Annotations for the ServiceAccount

backgroundController.rbac.serviceAccount.automountServiceAccountToken.enabled📜

Type: bool

Default value
false

backgroundController.rbac.deployment.automountServiceAccountToken.enabled📜

Type: bool

Default value
true

backgroundController.rbac.clusterRole.extraResources📜

Type: list

Default value
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - '*'
  resources:
  - secrets
  verbs:
  - create
  - update
  - delete

Description: Extra resource permissions to add in the cluster role

backgroundController.image.registry📜

Type: string

Default value
nil

Description: Image registry

backgroundController.image.defaultRegistry📜

Type: string

Default value
"registry1.dso.mil"

backgroundController.image.repository📜

Type: string

Default value
"ironbank/opensource/kyverno/kyverno/background-controller"

Description: Image repository

backgroundController.image.tag📜

Type: string

Default value
"v1.13.2"

Description: Image tag Defaults to appVersion in Chart.yaml if omitted

backgroundController.image.pullPolicy📜

Type: string

Default value
"IfNotPresent"

Description: Image pull policy

backgroundController.imagePullSecrets📜

Type: list

Default value
- name: private-registry

Description: Image pull secrets

backgroundController.replicas📜

Type: int

Default value
nil

Description: Desired number of pods

backgroundController.revisionHistoryLimit📜

Type: int

Default value
10

Description: The number of revisions to keep

backgroundController.resyncPeriod📜

Type: string

Default value
"15m"

Description: Resync period for informers

backgroundController.podLabels📜

Type: object

Default value
{}

Description: Additional labels to add to each pod

backgroundController.podAnnotations📜

Type: object

Default value
{}

Description: Additional annotations to add to each pod

backgroundController.annotations📜

Type: object

Default value
{}

Description: Deployment annotations.

backgroundController.priorityClassName📜

Type: string

Default value
""

Description: Optional priority class

backgroundController.hostNetwork📜

Type: bool

Default value
false

Description: Change hostNetwork to true when you want the pod to share its host’s network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the dnsPolicy accordingly as well to suit the host network mode.

backgroundController.dnsPolicy📜

Type: string

Default value
"ClusterFirst"

Description: dnsPolicy determines the manner in which DNS resolution happens in the cluster. In case of hostNetwork: true, usually, the dnsPolicy is suitable to be ClusterFirstWithHostNet. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.

backgroundController.extraArgs📜

Type: object

Default value
{}

Description: Extra arguments passed to the container on the command line

backgroundController.extraEnvVars📜

Type: list

Default value
[]

Description: Additional container environment variables.

backgroundController.resources.limits📜

Type: object

Default value
memory: 128Mi

Description: Pod resource limits

backgroundController.resources.requests📜

Type: object

Default value
cpu: 100m
memory: 64Mi

Description: Pod resource requests

backgroundController.nodeSelector📜

Type: object

Default value
{}

Description: Node labels for pod assignment

backgroundController.tolerations📜

Type: list

Default value
[]

Description: List of node taints to tolerate

backgroundController.antiAffinity.enabled📜

Type: bool

Default value
true

Description: Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node.

backgroundController.podAffinity📜

Type: object

Default value
{}

Description: Pod affinity constraints.

backgroundController.nodeAffinity📜

Type: object

Default value
{}

Description: Node affinity constraints.

backgroundController.topologySpreadConstraints📜

Type: list

Default value
[]

Description: Topology spread constraints.

backgroundController.podSecurityContext📜

Type: object

Default value
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000

Description: Security context for the pod

backgroundController.securityContext📜

Type: object

Default value
allowPrivilegeEscalation: false
capabilities:
  drop:
  - ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
  type: RuntimeDefault

Description: Security context for the containers

backgroundController.podDisruptionBudget.enabled📜

Type: bool

Default value
false

Description: Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.

backgroundController.podDisruptionBudget.minAvailable📜

Type: int

Default value
1

Description: Configures the minimum available pods for disruptions. Cannot be used if maxUnavailable is set.

backgroundController.podDisruptionBudget.maxUnavailable📜

Type: string

Default value
nil

Description: Configures the maximum unavailable pods for disruptions. Cannot be used if minAvailable is set.

backgroundController.caCertificates.data📜

Type: string

Default value
nil

Description: CA certificates to use with Kyverno deployments This value is expected to be one large string of CA certificates

backgroundController.caCertificates.volume📜

Type: object

Default value
{}

Description: Volume to be mounted for CA certificates Not used when .Values.backgroundController.caCertificates.data is defined

backgroundController.metricsService.create📜

Type: bool

Default value
true

Description: Create service.

backgroundController.metricsService.port📜

Type: int

Default value
8000

Description: Service port. Metrics server will be exposed at this port.

backgroundController.metricsService.type📜

Type: string

Default value
"ClusterIP"

Description: Service type.

backgroundController.metricsService.nodePort📜

Type: string

Default value
nil

Description: Service node port. Only used if metricsService.type is NodePort.

backgroundController.metricsService.annotations📜

Type: object

Default value
{}

Description: Service annotations.

backgroundController.networkPolicy.enabled📜

Type: bool

Default value
false

Description: When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.

backgroundController.networkPolicy.ingressFrom📜

Type: list

Default value
[]

Description: A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.

backgroundController.serviceMonitor.enabled📜

Type: bool

Default value
false

Description: Create a ServiceMonitor to collect Prometheus metrics.

backgroundController.serviceMonitor.additionalLabels📜

Type: object

Default value
{}

Description: Additional labels

backgroundController.serviceMonitor.namespace📜

Type: string

Default value
nil

Description: Override namespace

backgroundController.serviceMonitor.interval📜

Type: string

Default value
"30s"

Description: Interval to scrape metrics

backgroundController.serviceMonitor.scrapeTimeout📜

Type: string

Default value
"25s"

Description: Timeout if metrics can’t be retrieved in given time interval

backgroundController.serviceMonitor.secure📜

Type: bool

Default value
false

Description: Is TLS required for endpoint

backgroundController.serviceMonitor.tlsConfig📜

Type: object

Default value
{}

Description: TLS Configuration for endpoint

backgroundController.serviceMonitor.relabelings📜

Type: list

Default value
[]

Description: RelabelConfigs to apply to samples before scraping

backgroundController.serviceMonitor.metricRelabelings📜

Type: list

Default value
[]

Description: MetricRelabelConfigs to apply to samples before ingestion.

backgroundController.tracing.enabled📜

Type: bool

Default value
false

Description: Enable tracing

backgroundController.tracing.address📜

Type: string

Default value
nil

Description: Traces receiver address

backgroundController.tracing.port📜

Type: string

Default value
nil

Description: Traces receiver port

backgroundController.tracing.creds📜

Type: string

Default value
""

Description: Traces receiver credentials

backgroundController.metering.disabled📜

Type: bool

Default value
false

Description: Disable metrics export

backgroundController.metering.config📜

Type: string

Default value
"prometheus"

Description: Otel configuration, can be prometheus or grpc

backgroundController.metering.port📜

Type: int

Default value
8000

Description: Prometheus endpoint port

backgroundController.metering.collector📜

Type: string

Default value
""

Description: Otel collector endpoint

backgroundController.metering.creds📜

Type: string

Default value
""

Description: Otel collector credentials

backgroundController.server📜

Type: object

Default value
port: 9443

Description: backgroundController server port in case you are using hostNetwork: true, you might want to change the port the backgroundController is listening to

backgroundController.profiling.enabled📜

Type: bool

Default value
false

Description: Enable profiling

backgroundController.profiling.port📜

Type: int

Default value
6060

Description: Profiling endpoint port

backgroundController.profiling.serviceType📜

Type: string

Default value
"ClusterIP"

Description: Service type.

backgroundController.profiling.nodePort📜

Type: string

Default value
nil

Description: Service node port. Only used if type is NodePort.

cleanupController.featuresOverride📜

Type: object

Default value
{}

Description: Overrides features defined at the root level

cleanupController.enabled📜

Type: bool

Default value
true

Description: Enable cleanup controller.

cleanupController.rbac.create📜

Type: bool

Default value
true

Description: Create RBAC resources

cleanupController.rbac.serviceAccount.name📜

Type: string

Default value
nil

Description: Service account name

cleanupController.rbac.serviceAccount.annotations📜

Type: object

Default value
{}

Description: Annotations for the ServiceAccount

cleanupController.rbac.serviceAccount.automountServiceAccountToken.enabled📜

Type: bool

Default value
false

cleanupController.rbac.deployment.automountServiceAccountToken.enabled📜

Type: bool

Default value
true

cleanupController.rbac.clusterRole.extraResources📜

Type: list

Default value
[]

Description: Extra resource permissions to add in the cluster role

cleanupController.createSelfSignedCert📜

Type: bool

Default value
false

Description: Create self-signed certificates at deployment time. The certificates won’t be automatically renewed if this is set to true.

cleanupController.image.registry📜

Type: string

Default value
nil

Description: Image registry

cleanupController.image.defaultRegistry📜

Type: string

Default value
"registry1.dso.mil"

cleanupController.image.repository📜

Type: string

Default value
"ironbank/opensource/kyverno/kyverno/cleanup-controller"

Description: Image repository

cleanupController.image.tag📜

Type: string

Default value
"v1.13.2"

Description: Image tag Defaults to appVersion in Chart.yaml if omitted

cleanupController.image.pullPolicy📜

Type: string

Default value
"IfNotPresent"

Description: Image pull policy

cleanupController.imagePullSecrets📜

Type: list

Default value
- name: private-registry

Description: Image pull secrets

cleanupController.replicas📜

Type: int

Default value
nil

Description: Desired number of pods

cleanupController.revisionHistoryLimit📜

Type: int

Default value
10

Description: The number of revisions to keep

cleanupController.resyncPeriod📜

Type: string

Default value
"15m"

Description: Resync period for informers

cleanupController.podLabels📜

Type: object

Default value
{}

Description: Additional labels to add to each pod

cleanupController.podAnnotations📜

Type: object

Default value
{}

Description: Additional annotations to add to each pod

cleanupController.annotations📜

Type: object

Default value
{}

Description: Deployment annotations.

cleanupController.priorityClassName📜

Type: string

Default value
""

Description: Optional priority class

cleanupController.hostNetwork📜

Type: bool

Default value
false

Description: Change hostNetwork to true when you want the pod to share its host’s network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the dnsPolicy accordingly as well to suit the host network mode.

cleanupController.server📜

Type: object

Default value
port: 9443

Description: cleanupController server port in case you are using hostNetwork: true, you might want to change the port the cleanupController is listening to

cleanupController.webhookServer📜

Type: object

Default value
port: 9443

Description: cleanupController webhook server port in case you are using hostNetwork: true, you might want to change the port the webhookServer is listening to

cleanupController.dnsPolicy📜

Type: string

Default value
"ClusterFirst"

Description: dnsPolicy determines the manner in which DNS resolution happens in the cluster. In case of hostNetwork: true, usually, the dnsPolicy is suitable to be ClusterFirstWithHostNet. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.

cleanupController.extraArgs📜

Type: object

Default value
{}

Description: Extra arguments passed to the container on the command line

cleanupController.extraEnvVars📜

Type: list

Default value
[]

Description: Additional container environment variables.

cleanupController.resources.limits📜

Type: object

Default value
memory: 128Mi

Description: Pod resource limits

cleanupController.resources.requests📜

Type: object

Default value
cpu: 100m
memory: 64Mi

Description: Pod resource requests

cleanupController.nodeSelector📜

Type: object

Default value
{}

Description: Node labels for pod assignment

cleanupController.tolerations📜

Type: list

Default value
[]

Description: List of node taints to tolerate

cleanupController.antiAffinity.enabled📜

Type: bool

Default value
true

Description: Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node.

cleanupController.podAffinity📜

Type: object

Default value
{}

Description: Pod affinity constraints.

cleanupController.nodeAffinity📜

Type: object

Default value
{}

Description: Node affinity constraints.

cleanupController.topologySpreadConstraints📜

Type: list

Default value
[]

Description: Topology spread constraints.

cleanupController.podSecurityContext📜

Type: object

Default value
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000

Description: Security context for the pod

cleanupController.securityContext📜

Type: object

Default value
allowPrivilegeEscalation: false
capabilities:
  drop:
  - ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
  type: RuntimeDefault

Description: Security context for the containers

cleanupController.podDisruptionBudget.enabled📜

Type: bool

Default value
false

Description: Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.

cleanupController.podDisruptionBudget.minAvailable📜

Type: int

Default value
1

Description: Configures the minimum available pods for disruptions. Cannot be used if maxUnavailable is set.

cleanupController.podDisruptionBudget.maxUnavailable📜

Type: string

Default value
nil

Description: Configures the maximum unavailable pods for disruptions. Cannot be used if minAvailable is set.

cleanupController.service.port📜

Type: int

Default value
443

Description: Service port.

cleanupController.service.type📜

Type: string

Default value
"ClusterIP"

Description: Service type.

cleanupController.service.nodePort📜

Type: string

Default value
nil

Description: Service node port. Only used if service.type is NodePort.

cleanupController.service.annotations📜

Type: object

Default value
{}

Description: Service annotations.

cleanupController.metricsService.create📜

Type: bool

Default value
true

Description: Create service.

cleanupController.metricsService.port📜

Type: int

Default value
8000

Description: Service port. Metrics server will be exposed at this port.

cleanupController.metricsService.type📜

Type: string

Default value
"ClusterIP"

Description: Service type.

cleanupController.metricsService.nodePort📜

Type: string

Default value
nil

Description: Service node port. Only used if metricsService.type is NodePort.

cleanupController.metricsService.annotations📜

Type: object

Default value
{}

Description: Service annotations.

cleanupController.networkPolicy.enabled📜

Type: bool

Default value
false

Description: When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.

cleanupController.networkPolicy.ingressFrom📜

Type: list

Default value
[]

Description: A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.

cleanupController.serviceMonitor.enabled📜

Type: bool

Default value
false

Description: Create a ServiceMonitor to collect Prometheus metrics.

cleanupController.serviceMonitor.additionalLabels📜

Type: object

Default value
{}

Description: Additional labels

cleanupController.serviceMonitor.namespace📜

Type: string

Default value
nil

Description: Override namespace

cleanupController.serviceMonitor.interval📜

Type: string

Default value
"30s"

Description: Interval to scrape metrics

cleanupController.serviceMonitor.scrapeTimeout📜

Type: string

Default value
"25s"

Description: Timeout if metrics can’t be retrieved in given time interval

cleanupController.serviceMonitor.secure📜

Type: bool

Default value
false

Description: Is TLS required for endpoint

cleanupController.serviceMonitor.tlsConfig📜

Type: object

Default value
{}

Description: TLS Configuration for endpoint

cleanupController.serviceMonitor.relabelings📜

Type: list

Default value
[]

Description: RelabelConfigs to apply to samples before scraping

cleanupController.serviceMonitor.metricRelabelings📜

Type: list

Default value
[]

Description: MetricRelabelConfigs to apply to samples before ingestion.

cleanupController.tracing.enabled📜

Type: bool

Default value
false

Description: Enable tracing

cleanupController.tracing.address📜

Type: string

Default value
nil

Description: Traces receiver address

cleanupController.tracing.port📜

Type: string

Default value
nil

Description: Traces receiver port

cleanupController.tracing.creds📜

Type: string

Default value
""

Description: Traces receiver credentials

cleanupController.metering.disabled📜

Type: bool

Default value
false

Description: Disable metrics export

cleanupController.metering.config📜

Type: string

Default value
"prometheus"

Description: Otel configuration, can be prometheus or grpc

cleanupController.metering.port📜

Type: int

Default value
8000

Description: Prometheus endpoint port

cleanupController.metering.collector📜

Type: string

Default value
""

Description: Otel collector endpoint

cleanupController.metering.creds📜

Type: string

Default value
""

Description: Otel collector credentials

cleanupController.profiling.enabled📜

Type: bool

Default value
false

Description: Enable profiling

cleanupController.profiling.port📜

Type: int

Default value
6060

Description: Profiling endpoint port

cleanupController.profiling.serviceType📜

Type: string

Default value
"ClusterIP"

Description: Service type.

cleanupController.profiling.nodePort📜

Type: string

Default value
nil

Description: Service node port. Only used if type is NodePort.

reportsController.featuresOverride📜

Type: object

Default value
{}

Description: Overrides features defined at the root level

reportsController.enabled📜

Type: bool

Default value
true

Description: Enable reports controller.

reportsController.rbac.create📜

Type: bool

Default value
true

Description: Create RBAC resources

reportsController.rbac.createViewRoleBinding📜

Type: bool

Default value
true

Description: Create rolebinding to view role

reportsController.rbac.viewRoleName📜

Type: string

Default value
"view"

Description: The view role to use in the rolebinding

reportsController.rbac.serviceAccount.name📜

Type: string

Default value
nil

Description: Service account name

reportsController.rbac.serviceAccount.annotations📜

Type: object

Default value
{}

Description: Annotations for the ServiceAccount

reportsController.rbac.serviceAccount.automountServiceAccountToken.enabled📜

Type: bool

Default value
false

reportsController.rbac.deployment.automountServiceAccountToken.enabled📜

Type: bool

Default value
true

reportsController.rbac.clusterRole.extraResources📜

Type: list

Default value
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch

Description: Extra resource permissions to add in the cluster role

reportsController.image.registry📜

Type: string

Default value
nil

Description: Image registry

reportsController.image.defaultRegistry📜

Type: string

Default value
"registry1.dso.mil"

reportsController.image.repository📜

Type: string

Default value
"ironbank/opensource/kyverno/kyverno/reports-controller"

Description: Image repository

reportsController.image.tag📜

Type: string

Default value
"v1.13.2"

Description: Image tag Defaults to appVersion in Chart.yaml if omitted

reportsController.image.pullPolicy📜

Type: string

Default value
"IfNotPresent"

Description: Image pull policy

reportsController.imagePullSecrets📜

Type: list

Default value
- name: private-registry

Description: Image pull secrets

reportsController.replicas📜

Type: int

Default value
nil

Description: Desired number of pods

reportsController.revisionHistoryLimit📜

Type: int

Default value
10

Description: The number of revisions to keep

reportsController.resyncPeriod📜

Type: string

Default value
"15m"

Description: Resync period for informers

reportsController.podLabels📜

Type: object

Default value
{}

Description: Additional labels to add to each pod

reportsController.podAnnotations📜

Type: object

Default value
{}

Description: Additional annotations to add to each pod

reportsController.annotations📜

Type: object

Default value
{}

Description: Deployment annotations.

reportsController.priorityClassName📜

Type: string

Default value
""

Description: Optional priority class

reportsController.apiPriorityAndFairness📜

Type: bool

Default value
false

Description: Change apiPriorityAndFairness to true if you want to insulate the API calls made by Kyverno reports controller activities. This will help ensure Kyverno reports stability in busy clusters. Ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/

reportsController.hostNetwork📜

Type: bool

Default value
false

Description: Change hostNetwork to true when you want the pod to share its host’s network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the dnsPolicy accordingly as well to suit the host network mode.

reportsController.dnsPolicy📜

Type: string

Default value
"ClusterFirst"

Description: dnsPolicy determines the manner in which DNS resolution happens in the cluster. In case of hostNetwork: true, usually, the dnsPolicy is suitable to be ClusterFirstWithHostNet. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.

reportsController.extraArgs📜

Type: object

Default value
{}

Description: Extra arguments passed to the container on the command line

reportsController.extraEnvVars📜

Type: list

Default value
[]

Description: Additional container environment variables.

reportsController.resources.limits📜

Type: object

Default value
memory: 128Mi

Description: Pod resource limits

reportsController.resources.requests📜

Type: object

Default value
cpu: 100m
memory: 64Mi

Description: Pod resource requests

reportsController.nodeSelector📜

Type: object

Default value
{}

Description: Node labels for pod assignment

reportsController.tolerations📜

Type: list

Default value
[]

Description: List of node taints to tolerate

reportsController.antiAffinity.enabled📜

Type: bool

Default value
true

Description: Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node.

reportsController.podAffinity📜

Type: object

Default value
{}

Description: Pod affinity constraints.

reportsController.nodeAffinity📜

Type: object

Default value
{}

Description: Node affinity constraints.

reportsController.topologySpreadConstraints📜

Type: list

Default value
[]

Description: Topology spread constraints.

reportsController.podSecurityContext📜

Type: object

Default value
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000

Description: Security context for the pod

reportsController.securityContext📜

Type: object

Default value
allowPrivilegeEscalation: false
capabilities:
  drop:
  - ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
  type: RuntimeDefault

Description: Security context for the containers

reportsController.podDisruptionBudget.enabled📜

Type: bool

Default value
false

Description: Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.

reportsController.podDisruptionBudget.minAvailable📜

Type: int

Default value
1

Description: Configures the minimum available pods for disruptions. Cannot be used if maxUnavailable is set.

reportsController.podDisruptionBudget.maxUnavailable📜

Type: string

Default value
nil

Description: Configures the maximum unavailable pods for disruptions. Cannot be used if minAvailable is set.

reportsController.tufRootMountPath📜

Type: string

Default value
"/.sigstore"

Description: A writable volume to use for the TUF root initialization.

reportsController.sigstoreVolume📜

Type: object

Default value
emptyDir: {}

Description: Volume to be mounted in pods for TUF/cosign work.

reportsController.caCertificates.data📜

Type: string

Default value
nil

Description: CA certificates to use with Kyverno deployments This value is expected to be one large string of CA certificates

reportsController.caCertificates.volume📜

Type: object

Default value
{}

Description: Volume to be mounted for CA certificates Not used when .Values.reportsController.caCertificates.data is defined

reportsController.metricsService.create📜

Type: bool

Default value
true

Description: Create service.

reportsController.metricsService.port📜

Type: int

Default value
8000

Description: Service port. Metrics server will be exposed at this port.

reportsController.metricsService.type📜

Type: string

Default value
"ClusterIP"

Description: Service type.

reportsController.metricsService.nodePort📜

Type: string

Default value
nil

Description: Service node port. Only used if type is NodePort.

reportsController.metricsService.annotations📜

Type: object

Default value
{}

Description: Service annotations.

reportsController.networkPolicy.enabled📜

Type: bool

Default value
false

Description: When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.

reportsController.networkPolicy.ingressFrom📜

Type: list

Default value
[]

Description: A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.

reportsController.serviceMonitor.enabled📜

Type: bool

Default value
false

Description: Create a ServiceMonitor to collect Prometheus metrics.

reportsController.serviceMonitor.additionalLabels📜

Type: object

Default value
{}

Description: Additional labels

reportsController.serviceMonitor.namespace📜

Type: string

Default value
nil

Description: Override namespace

reportsController.serviceMonitor.interval📜

Type: string

Default value
"30s"

Description: Interval to scrape metrics

reportsController.serviceMonitor.scrapeTimeout📜

Type: string

Default value
"25s"

Description: Timeout if metrics can’t be retrieved in given time interval

reportsController.serviceMonitor.secure📜

Type: bool

Default value
false

Description: Is TLS required for endpoint

reportsController.serviceMonitor.tlsConfig📜

Type: object

Default value
{}

Description: TLS Configuration for endpoint

reportsController.serviceMonitor.relabelings📜

Type: list

Default value
[]

Description: RelabelConfigs to apply to samples before scraping

reportsController.serviceMonitor.metricRelabelings📜

Type: list

Default value
[]

Description: MetricRelabelConfigs to apply to samples before ingestion.

reportsController.tracing.enabled📜

Type: bool

Default value
false

Description: Enable tracing

reportsController.tracing.address📜

Type: string

Default value
nil

Description: Traces receiver address

reportsController.tracing.port📜

Type: string

Default value
nil

Description: Traces receiver port

reportsController.tracing.creds📜

Type: string

Default value
nil

Description: Traces receiver credentials

reportsController.metering.disabled📜

Type: bool

Default value
false

Description: Disable metrics export

reportsController.metering.config📜

Type: string

Default value
"prometheus"

Description: Otel configuration, can be prometheus or grpc

reportsController.metering.port📜

Type: int

Default value
8000

Description: Prometheus endpoint port

reportsController.metering.collector📜

Type: string

Default value
nil

Description: Otel collector endpoint

reportsController.metering.creds📜

Type: string

Default value
nil

Description: Otel collector credentials

reportsController.server📜

Type: object

Default value
port: 9443

Description: reportsController server port in case you are using hostNetwork: true, you might want to change the port the reportsController is listening to

reportsController.profiling.enabled📜

Type: bool

Default value
false

Description: Enable profiling

reportsController.profiling.port📜

Type: int

Default value
6060

Description: Profiling endpoint port

reportsController.profiling.serviceType📜

Type: string

Default value
"ClusterIP"

Description: Service type.

reportsController.profiling.nodePort📜

Type: string

Default value
nil

Description: Service node port. Only used if type is NodePort.

networkPolicies.enabled📜

Type: bool

Default value
false

networkPolicies.controlPlaneCidr📜

Type: string

Default value
"0.0.0.0/0"

networkPolicies.externalRegistries.allowEgress📜

Type: bool

Default value
false

networkPolicies.externalRegistries.ports📜

Type: list

Default value
[]

networkPolicies.allowExternalRegistryEgress📜

Type: bool

Default value
false

networkPolicies.additionalPolicies📜

Type: list

Default value
[]

istio.enabled📜

Type: bool

Default value
false

openshift📜

Type: bool

Default value
false

bbtests.enabled📜

Type: bool

Default value
false

bbtests.scripts.image📜

Type: string

Default value
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.6"

bbtests.scripts.additionalVolumeMounts[0].name📜

Type: string

Default value
"kyverno-bbtest-manifest"

bbtests.scripts.additionalVolumeMounts[0].mountPath📜

Type: string

Default value
"/yaml"

bbtests.scripts.additionalVolumes[0].name📜

Type: string

Default value
"kyverno-bbtest-manifest"

bbtests.scripts.additionalVolumes[0].configMap.name📜

Type: string

Default value
"kyverno-bbtest-manifest"