policy values.yaml
📜
openshift📜
Type: bool
false
replicas📜
Type: int
3
revisionHistoryLimit📜
Type: int
10
auditInterval📜
Type: int
60
metricsBackends[0]📜
Type: string
"prometheus"
auditMatchKindOnly📜
Type: bool
true
constraintViolationsLimit📜
Type: int
1000
auditFromCache📜
Type: bool
false
disableMutation📜
Type: bool
true
disableAudit📜
Type: bool
false
disableValidatingWebhook📜
Type: bool
false
validatingWebhookName📜
Type: string
"gatekeeper-validating-webhook-configuration"
validatingWebhookTimeoutSeconds📜
Type: int
15
validatingWebhookFailurePolicy📜
Type: string
"Ignore"
validatingWebhookAnnotations📜
Type: object
{}
validatingWebhookExemptNamespacesLabels📜
Type: object
{}
validatingWebhookObjectSelector📜
Type: object
{}
validatingWebhookMatchConditions📜
Type: list
[]
validatingWebhookCheckIgnoreFailurePolicy📜
Type: string
"Fail"
validatingWebhookCustomRules📜
Type: object
{}
validatingWebhookURL📜
Type: string
nil
enableDeleteOperations📜
Type: bool
false
enableConnectOperations📜
Type: bool
false
enableExternalData📜
Type: bool
true
enableGeneratorResourceExpansion📜
Type: bool
true
enableTLSHealthcheck📜
Type: bool
false
maxServingThreads📜
Type: int
-1
mutatingWebhookName📜
Type: string
"gatekeeper-mutating-webhook-configuration"
mutatingWebhookFailurePolicy📜
Type: string
"Ignore"
mutatingWebhookReinvocationPolicy📜
Type: string
"Never"
mutatingWebhookAnnotations📜
Type: object
{}
mutatingWebhookExemptNamespacesLabels📜
Type: object
{}
mutatingWebhookObjectSelector📜
Type: object
{}
mutatingWebhookMatchConditions📜
Type: list
[]
mutatingWebhookTimeoutSeconds📜
Type: int
1
mutatingWebhookCustomRules📜
Type: object
{}
mutatingWebhookURL📜
Type: string
nil
mutationAnnotations📜
Type: bool
false
auditChunkSize📜
Type: int
500
logLevel📜
Type: string
"INFO"
logDenies📜
Type: bool
true
logMutations📜
Type: bool
true
emitAdmissionEvents📜
Type: bool
false
emitAuditEvents📜
Type: bool
false
admissionEventsInvolvedNamespace📜
Type: bool
false
auditEventsInvolvedNamespace📜
Type: bool
false
resourceQuota📜
Type: bool
true
externaldataProviderResponseCacheTTL📜
Type: string
"3m"
enableK8sNativeValidation📜
Type: bool
true
image.repository📜
Type: string
"registry1.dso.mil/ironbank/opensource/openpolicyagent/gatekeeper"
image.release📜
Type: string
"v3.17.1"
image.pullPolicy📜
Type: string
"IfNotPresent"
image.pullSecrets[0].name📜
Type: string
"private-registry"
image.crdRepository📜
Type: string
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl"
image.crdRelease📜
Type: string
"v1.29.8"
preInstall.crdRepository.image.repository📜
Type: string
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl"
preInstall.crdRepository.image.tag📜
Type: string
"v1.29.8"
preInstall.securityContext.allowPrivilegeEscalation📜
Type: bool
false
preInstall.securityContext.capabilities.drop[0]📜
Type: string
"ALL"
preInstall.securityContext.readOnlyRootFilesystem📜
Type: bool
true
preInstall.securityContext.runAsGroup📜
Type: int
999
preInstall.securityContext.runAsNonRoot📜
Type: bool
true
preInstall.securityContext.runAsUser📜
Type: int
1000
postUpgrade.labelNamespace.serviceAccount.name📜
Type: string
"gatekeeper-update-namespace-label-post-upgrade"
postUpgrade.labelNamespace.serviceAccount.create📜
Type: bool
true
postUpgrade.labelNamespace.enabled📜
Type: bool
false
postUpgrade.labelNamespace.image.repository📜
Type: string
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl"
postUpgrade.labelNamespace.image.tag📜
Type: string
"v1.29.8"
postUpgrade.labelNamespace.image.pullPolicy📜
Type: string
"IfNotPresent"
postUpgrade.labelNamespace.image.pullSecrets📜
Type: list
[]
postUpgrade.labelNamespace.extraNamespaces📜
Type: list
[]
postUpgrade.labelNamespace.podSecurity📜
Type: list
[]
postUpgrade.labelNamespace.extraAnnotations📜
Type: object
{}
postUpgrade.labelNamespace.priorityClassName📜
Type: string
""
postUpgrade.affinity📜
Type: object
{}
postUpgrade.tolerations📜
Type: list
[]
postUpgrade.nodeSelector.”kubernetes.io/os”📜
Type: string
"linux"
postUpgrade.resources📜
Type: object
{}
postUpgrade.securityContext.allowPrivilegeEscalation📜
Type: bool
false
postUpgrade.securityContext.capabilities.drop[0]📜
Type: string
"ALL"
postUpgrade.securityContext.readOnlyRootFilesystem📜
Type: bool
true
postUpgrade.securityContext.runAsGroup📜
Type: int
999
postUpgrade.securityContext.runAsNonRoot📜
Type: bool
true
postUpgrade.securityContext.runAsUser📜
Type: int
1000
postInstall.labelNamespace.serviceAccount.name📜
Type: string
"gatekeeper-update-namespace-label"
postInstall.labelNamespace.serviceAccount.create📜
Type: bool
true
postInstall.labelNamespace.enabled📜
Type: bool
true
postInstall.labelNamespace.extraRules📜
Type: list
[]
postInstall.labelNamespace.image.repository📜
Type: string
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl"
postInstall.labelNamespace.image.tag📜
Type: string
"v1.29.8"
postInstall.labelNamespace.image.pullPolicy📜
Type: string
"IfNotPresent"
postInstall.labelNamespace.image.pullSecrets📜
Type: list
[]
postInstall.labelNamespace.extraNamespaces📜
Type: list
[]
postInstall.labelNamespace.podSecurity📜
Type: list
[]
postInstall.labelNamespace.extraAnnotations📜
Type: object
{}
postInstall.labelNamespace.priorityClassName📜
Type: string
""
postInstall.probeWebhook.enabled📜
Type: bool
true
postInstall.probeWebhook.image.repository📜
Type: string
"registry1.dso.mil/ironbank/big-bang/base"
postInstall.probeWebhook.image.tag📜
Type: string
"2.1.0"
postInstall.probeWebhook.image.pullPolicy📜
Type: string
"IfNotPresent"
postInstall.probeWebhook.image.pullSecrets📜
Type: list
[]
postInstall.probeWebhook.waitTimeout📜
Type: int
60
postInstall.probeWebhook.httpTimeout📜
Type: int
2
postInstall.probeWebhook.insecureHTTPS📜
Type: bool
false
postInstall.probeWebhook.priorityClassName📜
Type: string
""
postInstall.affinity📜
Type: object
{}
postInstall.tolerations📜
Type: list
[]
postInstall.nodeSelector.”kubernetes.io/os”📜
Type: string
"linux"
postInstall.securityContext.allowPrivilegeEscalation📜
Type: bool
false
postInstall.securityContext.capabilities.drop[0]📜
Type: string
"ALL"
postInstall.securityContext.readOnlyRootFilesystem📜
Type: bool
true
postInstall.securityContext.runAsGroup📜
Type: int
999
postInstall.securityContext.runAsNonRoot📜
Type: bool
true
postInstall.securityContext.runAsUser📜
Type: int
1000
preUninstall.deleteWebhookConfigurations.serviceAccount.name📜
Type: string
"gatekeeper-delete-webhook-configs"
preUninstall.deleteWebhookConfigurations.serviceAccount.create📜
Type: bool
true
preUninstall.deleteWebhookConfigurations.extraRules📜
Type: list
[]
preUninstall.deleteWebhookConfigurations.enabled📜
Type: bool
false
preUninstall.deleteWebhookConfigurations.image.repository📜
Type: string
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl"
preUninstall.deleteWebhookConfigurations.image.tag📜
Type: string
"v1.29.8"
preUninstall.deleteWebhookConfigurations.image.pullPolicy📜
Type: string
"IfNotPresent"
preUninstall.deleteWebhookConfigurations.image.pullSecrets📜
Type: list
[]
preUninstall.deleteWebhookConfigurations.priorityClassName📜
Type: string
""
preUninstall.affinity📜
Type: object
{}
preUninstall.tolerations📜
Type: list
[]
preUninstall.nodeSelector.”kubernetes.io/os”📜
Type: string
"linux"
preUninstall.resources📜
Type: object
{}
preUninstall.securityContext.allowPrivilegeEscalation📜
Type: bool
false
preUninstall.securityContext.capabilities.drop[0]📜
Type: string
"ALL"
preUninstall.securityContext.readOnlyRootFilesystem📜
Type: bool
true
preUninstall.securityContext.runAsGroup📜
Type: int
999
preUninstall.securityContext.runAsNonRoot📜
Type: bool
true
preUninstall.securityContext.runAsUser📜
Type: int
1000
podAnnotations.”container.seccomp.security.alpha.kubernetes.io/manager”📜
Type: string
"runtime/default"
auditPodAnnotations📜
Type: object
{}
podLabels📜
Type: object
{}
podCountLimit📜
Type: string
"100"
secretAnnotations📜
Type: object
{}
enableRuntimeDefaultSeccompProfile📜
Type: bool
true
controllerManager.serviceAccount.name📜
Type: string
"gatekeeper-admin"
controllerManager.exemptNamespaces📜
Type: list
[]
controllerManager.exemptNamespacePrefixes📜
Type: list
[]
controllerManager.hostNetwork📜
Type: bool
false
controllerManager.dnsPolicy📜
Type: string
"ClusterFirst"
controllerManager.port📜
Type: int
8443
controllerManager.metricsPort📜
Type: int
8888
controllerManager.healthPort📜
Type: int
9090
controllerManager.readinessTimeout📜
Type: int
1
controllerManager.livenessTimeout📜
Type: int
1
controllerManager.priorityClassName📜
Type: string
"system-cluster-critical"
controllerManager.disableCertRotation📜
Type: bool
false
controllerManager.tlsMinVersion📜
Type: float
1.3
controllerManager.clientCertName📜
Type: string
""
controllerManager.strategyType📜
Type: string
"RollingUpdate"
controllerManager.strategyRollingUpdate📜
Type: object
{}
controllerManager.podLabels📜
Type: object
{}
controllerManager.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.labelSelector.matchExpressions[0].key📜
Type: string
"gatekeeper.sh/operation"
controllerManager.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.labelSelector.matchExpressions[0].operator📜
Type: string
"In"
controllerManager.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.labelSelector.matchExpressions[0].values[0]📜
Type: string
"webhook"
controllerManager.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.topologyKey📜
Type: string
"kubernetes.io/hostname"
controllerManager.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].weight📜
Type: int
100
controllerManager.topologySpreadConstraints📜
Type: list
[]
controllerManager.tolerations📜
Type: list
[]
controllerManager.nodeSelector.”kubernetes.io/os”📜
Type: string
"linux"
controllerManager.resources.limits.cpu📜
Type: string
"175m"
controllerManager.resources.limits.memory📜
Type: string
"512Mi"
controllerManager.resources.requests.cpu📜
Type: string
"175m"
controllerManager.resources.requests.memory📜
Type: string
"512Mi"
controllerManager.securityContext.allowPrivilegeEscalation📜
Type: bool
false
controllerManager.securityContext.capabilities.drop[0]📜
Type: string
"ALL"
controllerManager.securityContext.readOnlyRootFilesystem📜
Type: bool
true
controllerManager.securityContext.runAsGroup📜
Type: int
999
controllerManager.securityContext.runAsNonRoot📜
Type: bool
true
controllerManager.securityContext.runAsUser📜
Type: int
1000
controllerManager.podSecurityContext.fsGroup📜
Type: int
999
controllerManager.podSecurityContext.supplementalGroups[0]📜
Type: int
999
controllerManager.extraRules📜
Type: list
[]
controllerManager.networkPolicy.enabled📜
Type: bool
false
controllerManager.networkPolicy.ingress📜
Type: object
{}
audit.serviceAccount.name📜
Type: string
"gatekeeper-admin"
audit.enablePubsub📜
Type: bool
false
audit.hostNetwork📜
Type: bool
false
audit.dnsPolicy📜
Type: string
"ClusterFirst"
audit.metricsPort📜
Type: int
8888
audit.healthPort📜
Type: int
9090
audit.readinessTimeout📜
Type: int
1
audit.livenessTimeout📜
Type: int
1
audit.priorityClassName📜
Type: string
"system-cluster-critical"
audit.disableCertRotation📜
Type: bool
false
audit.podLabels📜
Type: object
{}
audit.affinity📜
Type: object
{}
audit.tolerations📜
Type: list
[]
audit.nodeSelector.”kubernetes.io/os”📜
Type: string
"linux"
audit.resources.limits.cpu📜
Type: float
1.2
audit.resources.limits.memory📜
Type: string
"768Mi"
audit.resources.requests.cpu📜
Type: float
1.2
audit.resources.requests.memory📜
Type: string
"768Mi"
audit.securityContext.allowPrivilegeEscalation📜
Type: bool
false
audit.securityContext.capabilities.drop[0]📜
Type: string
"ALL"
audit.securityContext.readOnlyRootFilesystem📜
Type: bool
true
audit.securityContext.runAsGroup📜
Type: int
999
audit.securityContext.runAsNonRoot📜
Type: bool
true
audit.securityContext.runAsUser📜
Type: int
1000
audit.podSecurityContext.fsGroup📜
Type: int
999
audit.podSecurityContext.supplementalGroups[0]📜
Type: int
999
audit.writeToRAMDisk📜
Type: bool
false
audit.extraRules📜
Type: list
[]
crds.affinity📜
Type: object
{}
crds.tolerations📜
Type: list
[]
crds.nodeSelector.”kubernetes.io/os”📜
Type: string
"linux"
crds.resources📜
Type: object
{}
crds.securityContext.allowPrivilegeEscalation📜
Type: bool
false
crds.securityContext.capabilities.drop[0]📜
Type: string
"ALL"
crds.securityContext.readOnlyRootFilesystem📜
Type: bool
true
crds.securityContext.runAsGroup📜
Type: int
65532
crds.securityContext.runAsNonRoot📜
Type: bool
true
crds.securityContext.runAsUser📜
Type: int
65532
pdb.controllerManager.minAvailable📜
Type: int
1
service📜
Type: object
{}
disabledBuiltins[0]📜
Type: string
"{http.send}"
psp.enabled📜
Type: bool
false
upgradeCRDs.serviceAccount.create📜
Type: bool
true
upgradeCRDs.serviceAccount.name📜
Type: string
"gatekeeper-admin-upgrade-crds"
upgradeCRDs.enabled📜
Type: bool
true
upgradeCRDs.extraRules📜
Type: list
[]
upgradeCRDs.priorityClassName📜
Type: string
""
cleanupCRDs.enabled📜
Type: bool
true
cleanupCRDs.containerSecurityContext.allowPrivilegeEscalation📜
Type: bool
false
cleanupCRDs.containerSecurityContext.capabilities.drop[0]📜
Type: string
"ALL"
cleanupCRDs.containerSecurityContext.readOnlyRootFilesystem📜
Type: bool
true
cleanupCRDs.containerSecurityContext.runAsGroup📜
Type: int
999
cleanupCRDs.containerSecurityContext.runAsNonRoot📜
Type: bool
true
cleanupCRDs.containerSecurityContext.runAsUser📜
Type: int
1000
cleanupCRDs.securityContext.readOnlyRootFilesystem📜
Type: bool
true
cleanupCRDs.securityContext.runAsGroup📜
Type: int
999
cleanupCRDs.securityContext.runAsNonRoot📜
Type: bool
true
cleanupCRDs.securityContext.runAsUser📜
Type: int
1000
cleanupCRDs.securityContext.fsGroup📜
Type: int
999
cleanupCRDs.securityContext.supplementalGroups[0]📜
Type: int
999
rbac.create📜
Type: bool
true
externalCertInjection.enabled📜
Type: bool
false
externalCertInjection.secretName📜
Type: string
"gatekeeper-webhook-server-cert"
violations.allowedAppArmorProfiles.enabled📜
Type: bool
false
violations.allowedAppArmorProfiles.enforcementAction📜
Type: string
"dryrun"
violations.allowedAppArmorProfiles.kind📜
Type: string
"K8sPSPAppArmor"
violations.allowedAppArmorProfiles.name📜
Type: string
"allowed-app-armor-profiles"
violations.allowedAppArmorProfiles.match📜
Type: object
{}
violations.allowedAppArmorProfiles.parameters.allowedProfiles[0]📜
Type: string
"runtime/default"
violations.allowedAppArmorProfiles.parameters.excludedResources📜
Type: list
[]
violations.allowedCapabilities.enabled📜
Type: bool
true
violations.allowedCapabilities.enforcementAction📜
Type: string
"dryrun"
violations.allowedCapabilities.kind📜
Type: string
"K8sPSPCapabilities"
violations.allowedCapabilities.name📜
Type: string
"allowed-capabilities"
violations.allowedCapabilities.match📜
Type: object
{}
violations.allowedCapabilities.parameters.allowedCapabilities📜
Type: list
[]
violations.allowedCapabilities.parameters.requiredDropCapabilities[0]📜
Type: string
"all"
violations.allowedCapabilities.parameters.excludedResources📜
Type: list
[]
violations.allowedDockerRegistries.enabled📜
Type: bool
true
violations.allowedDockerRegistries.enforcementAction📜
Type: string
"deny"
violations.allowedDockerRegistries.kind📜
Type: string
"K8sAllowedRepos"
violations.allowedDockerRegistries.name📜
Type: string
"allowed-docker-registries"
violations.allowedDockerRegistries.match📜
Type: object
{}
violations.allowedDockerRegistries.parameters.repos[0]📜
Type: string
"registry1.dso.mil"
violations.allowedDockerRegistries.parameters.excludedResources📜
Type: list
[]
violations.allowedFlexVolumes.enabled📜
Type: bool
true
violations.allowedFlexVolumes.enforcementAction📜
Type: string
"deny"
violations.allowedFlexVolumes.kind📜
Type: string
"K8sPSPFlexVolumes"
violations.allowedFlexVolumes.name📜
Type: string
"allowed-flex-volumes"
violations.allowedFlexVolumes.match📜
Type: object
{}
violations.allowedFlexVolumes.parameters.allowedFlexVolumes📜
Type: list
[]
violations.allowedFlexVolumes.parameters.excludedResources📜
Type: list
[]
violations.allowedHostFilesystem.enabled📜
Type: bool
true
violations.allowedHostFilesystem.enforcementAction📜
Type: string
"deny"
violations.allowedHostFilesystem.kind📜
Type: string
"K8sPSPHostFilesystem"
violations.allowedHostFilesystem.name📜
Type: string
"allowed-host-filesystem"
violations.allowedHostFilesystem.match📜
Type: object
{}
violations.allowedHostFilesystem.parameters.allowedHostPaths📜
Type: list
[]
violations.allowedHostFilesystem.parameters.excludedResources📜
Type: list
[]
violations.allowedIPs.enabled📜
Type: bool
true
violations.allowedIPs.enforcementAction📜
Type: string
"deny"
violations.allowedIPs.kind📜
Type: string
"K8sExternalIPs"
violations.allowedIPs.name📜
Type: string
"allowed-ips"
violations.allowedIPs.match📜
Type: object
{}
violations.allowedIPs.parameters.allowedIPs📜
Type: list
[]
violations.allowedIPs.parameters.excludedResources📜
Type: list
[]
violations.allowedProcMount.enabled📜
Type: bool
true
violations.allowedProcMount.enforcementAction📜
Type: string
"deny"
violations.allowedProcMount.kind📜
Type: string
"K8sPSPProcMount"
violations.allowedProcMount.name📜
Type: string
"allowed-proc-mount"
violations.allowedProcMount.match📜
Type: object
{}
violations.allowedProcMount.parameters.procMount📜
Type: string
"Default"
violations.allowedProcMount.parameters.excludedResources📜
Type: list
[]
violations.allowedSecCompProfiles.enabled📜
Type: bool
true
violations.allowedSecCompProfiles.enforcementAction📜
Type: string
"dryrun"
violations.allowedSecCompProfiles.kind📜
Type: string
"K8sPSPSeccomp"
violations.allowedSecCompProfiles.name📜
Type: string
"allowed-sec-comp-profiles"
violations.allowedSecCompProfiles.match📜
Type: object
{}
violations.allowedSecCompProfiles.parameters.allowedProfiles[0]📜
Type: string
"runtime/default"
violations.allowedSecCompProfiles.parameters.excludedResources📜
Type: list
[]
violations.allowedUsers.enabled📜
Type: bool
true
violations.allowedUsers.enforcementAction📜
Type: string
"dryrun"
violations.allowedUsers.kind📜
Type: string
"K8sPSPAllowedUsers"
violations.allowedUsers.name📜
Type: string
"allowed-users"
violations.allowedUsers.match📜
Type: object
{}
violations.allowedUsers.parameters.runAsUser.rule📜
Type: string
"MustRunAsNonRoot"
violations.allowedUsers.parameters.fsGroup.rule📜
Type: string
"MustRunAs"
violations.allowedUsers.parameters.fsGroup.ranges[0].min📜
Type: int
1000
violations.allowedUsers.parameters.fsGroup.ranges[0].max📜
Type: int
65535
violations.allowedUsers.parameters.runAsGroup.rule📜
Type: string
"MustRunAs"
violations.allowedUsers.parameters.runAsGroup.ranges[0].min📜
Type: int
1000
violations.allowedUsers.parameters.runAsGroup.ranges[0].max📜
Type: int
65535
violations.allowedUsers.parameters.supplementalGroups.rule📜
Type: string
"MustRunAs"
violations.allowedUsers.parameters.supplementalGroups.ranges[0].min📜
Type: int
1000
violations.allowedUsers.parameters.supplementalGroups.ranges[0].max📜
Type: int
65535
violations.allowedUsers.parameters.excludedResources📜
Type: list
[]
violations.bannedImageTags.enabled📜
Type: bool
true
violations.bannedImageTags.enforcementAction📜
Type: string
"deny"
violations.bannedImageTags.kind📜
Type: string
"K8sBannedImageTags"
violations.bannedImageTags.name📜
Type: string
"banned-image-tags"
violations.bannedImageTags.match📜
Type: object
{}
violations.bannedImageTags.parameters.tags[0]📜
Type: string
"latest"
violations.bannedImageTags.parameters.excludedResources📜
Type: list
[]
violations.blockNodePort.enabled📜
Type: bool
true
violations.blockNodePort.enforcementAction📜
Type: string
"dryrun"
violations.blockNodePort.kind📜
Type: string
"K8sBlockNodePort"
violations.blockNodePort.name📜
Type: string
"block-node-ports"
violations.blockNodePort.match📜
Type: object
{}
violations.blockNodePort.parameters.excludedResources📜
Type: list
[]
violations.containerRatio.enabled📜
Type: bool
true
violations.containerRatio.enforcementAction📜
Type: string
"dryrun"
violations.containerRatio.kind📜
Type: string
"K8sContainerRatios"
violations.containerRatio.name📜
Type: string
"container-ratios"
violations.containerRatio.match📜
Type: object
{}
violations.containerRatio.parameters.ratio📜
Type: string
"2"
violations.containerRatio.parameters.excludedResources📜
Type: list
[]
violations.hostNetworking.enabled📜
Type: bool
true
violations.hostNetworking.enforcementAction📜
Type: string
"deny"
violations.hostNetworking.kind📜
Type: string
"K8sPSPHostNetworkingPorts"
violations.hostNetworking.name📜
Type: string
"host-networking"
violations.hostNetworking.match📜
Type: object
{}
violations.hostNetworking.parameters.hostNetwork📜
Type: bool
false
violations.hostNetworking.parameters.min📜
Type: int
0
violations.hostNetworking.parameters.max📜
Type: int
0
violations.hostNetworking.parameters.excludedResources📜
Type: list
[]
violations.httpsOnly.enabled📜
Type: bool
true
violations.httpsOnly.enforcementAction📜
Type: string
"deny"
violations.httpsOnly.kind📜
Type: string
"K8sHttpsOnly2"
violations.httpsOnly.name📜
Type: string
"https-only"
violations.httpsOnly.match📜
Type: object
{}
violations.httpsOnly.parameters.excludedResources📜
Type: list
[]
violations.imageDigest.enabled📜
Type: bool
true
violations.imageDigest.enforcementAction📜
Type: string
"dryrun"
violations.imageDigest.kind📜
Type: string
"K8sImageDigests2"
violations.imageDigest.name📜
Type: string
"image-digest"
violations.imageDigest.match📜
Type: object
{}
violations.imageDigest.parameters.excludedResources📜
Type: list
[]
violations.namespacesHaveIstio.enabled📜
Type: bool
true
violations.namespacesHaveIstio.enforcementAction📜
Type: string
"dryrun"
violations.namespacesHaveIstio.kind📜
Type: string
"K8sRequiredLabelValues"
violations.namespacesHaveIstio.name📜
Type: string
"namespaces-have-istio"
violations.namespacesHaveIstio.match.namespaceSelector.matchExpressions[0].key📜
Type: string
"admission.gatekeeper.sh/ignore"
violations.namespacesHaveIstio.match.namespaceSelector.matchExpressions[0].operator📜
Type: string
"DoesNotExist"
violations.namespacesHaveIstio.parameters.labels[0].allowedRegex📜
Type: string
"^enabled"
violations.namespacesHaveIstio.parameters.labels[0].key📜
Type: string
"istio-injection"
violations.namespacesHaveIstio.parameters.excludedResources📜
Type: list
[]
violations.noBigContainers.enabled📜
Type: bool
true
violations.noBigContainers.enforcementAction📜
Type: string
"dryrun"
violations.noBigContainers.kind📜
Type: string
"K8sContainerLimits"
violations.noBigContainers.name📜
Type: string
"no-big-container"
violations.noBigContainers.match📜
Type: object
{}
violations.noBigContainers.parameters.cpu📜
Type: string
"2000m"
violations.noBigContainers.parameters.memory📜
Type: string
"4G"
violations.noBigContainers.parameters.excludedResources📜
Type: list
[]
violations.noHostNamespace.enabled📜
Type: bool
true
violations.noHostNamespace.enforcementAction📜
Type: string
"deny"
violations.noHostNamespace.kind📜
Type: string
"K8sPSPHostNamespace2"
violations.noHostNamespace.name📜
Type: string
"no-host-namespace"
violations.noHostNamespace.match📜
Type: object
{}
violations.noHostNamespace.parameters.excludedResources📜
Type: list
[]
violations.noPrivilegedContainers.enabled📜
Type: bool
true
violations.noPrivilegedContainers.enforcementAction📜
Type: string
"deny"
violations.noPrivilegedContainers.kind📜
Type: string
"K8sPSPPrivilegedContainer2"
violations.noPrivilegedContainers.name📜
Type: string
"no-privileged-containers"
violations.noPrivilegedContainers.match📜
Type: object
{}
violations.noPrivilegedContainers.parameters.excludedResources📜
Type: list
[]
violations.noDefaultServiceAccount.enabled📜
Type: bool
true
violations.noDefaultServiceAccount.enforcementAction📜
Type: string
"dryrun"
violations.noDefaultServiceAccount.kind📜
Type: string
"K8sDenySADefault"
violations.noDefaultServiceAccount.name📜
Type: string
"no-default-service-account"
violations.noDefaultServiceAccount.match📜
Type: object
{}
violations.noDefaultServiceAccount.parameters.excludedResources📜
Type: list
[]
violations.noPrivilegedEscalation.enabled📜
Type: bool
true
violations.noPrivilegedEscalation.enforcementAction📜
Type: string
"dryrun"
violations.noPrivilegedEscalation.kind📜
Type: string
"K8sPSPAllowPrivilegeEscalationContainer2"
violations.noPrivilegedEscalation.name📜
Type: string
"no-privileged-escalation"
violations.noPrivilegedEscalation.match📜
Type: object
{}
violations.noPrivilegedEscalation.parameters.excludedResources📜
Type: list
[]
violations.noSysctls.enabled📜
Type: bool
true
violations.noSysctls.enforcementAction📜
Type: string
"deny"
violations.noSysctls.kind📜
Type: string
"K8sPSPForbiddenSysctls"
violations.noSysctls.name📜
Type: string
"no-sysctls"
violations.noSysctls.match📜
Type: object
{}
violations.noSysctls.parameters.forbiddenSysctls[0]📜
Type: string
"*"
violations.noSysctls.parameters.excludedResources📜
Type: list
[]
violations.podsHaveIstio.enabled📜
Type: bool
true
violations.podsHaveIstio.enforcementAction📜
Type: string
"dryrun"
violations.podsHaveIstio.kind📜
Type: string
"K8sNoAnnotationValues"
violations.podsHaveIstio.name📜
Type: string
"pods-have-istio"
violations.podsHaveIstio.match📜
Type: object
{}
violations.podsHaveIstio.parameters.annotations[0].disallowedRegex📜
Type: string
"^false"
violations.podsHaveIstio.parameters.annotations[0].key📜
Type: string
"sidecar.istio.io/inject"
violations.podsHaveIstio.parameters.excludedResources📜
Type: list
[]
violations.readOnlyRoot.enabled📜
Type: bool
true
violations.readOnlyRoot.enforcementAction📜
Type: string
"dryrun"
violations.readOnlyRoot.kind📜
Type: string
"K8sPSPReadOnlyRootFilesystem2"
violations.readOnlyRoot.name📜
Type: string
"read-only-root"
violations.readOnlyRoot.match📜
Type: object
{}
violations.readOnlyRoot.parameters.excludedResources📜
Type: list
[]
violations.requiredLabels.enabled📜
Type: bool
true
violations.requiredLabels.enforcementAction📜
Type: string
"dryrun"
violations.requiredLabels.kind📜
Type: string
"K8sRequiredLabelValues"
violations.requiredLabels.name📜
Type: string
"required-labels"
violations.requiredLabels.match📜
Type: object
{}
violations.requiredLabels.parameters.labels[0].allowedRegex📜
Type: string
""
violations.requiredLabels.parameters.labels[0].key📜
Type: string
"app.kubernetes.io/name"
violations.requiredLabels.parameters.labels[1].allowedRegex📜
Type: string
""
violations.requiredLabels.parameters.labels[1].key📜
Type: string
"app.kubernetes.io/instance"
violations.requiredLabels.parameters.labels[2].allowedRegex📜
Type: string
""
violations.requiredLabels.parameters.labels[2].key📜
Type: string
"app.kubernetes.io/version"
violations.requiredLabels.parameters.labels[3].allowedRegex📜
Type: string
""
violations.requiredLabels.parameters.labels[3].key📜
Type: string
"app.kubernetes.io/component"
violations.requiredLabels.parameters.labels[4].allowedRegex📜
Type: string
""
violations.requiredLabels.parameters.labels[4].key📜
Type: string
"app.kubernetes.io/part-of"
violations.requiredLabels.parameters.labels[5].allowedRegex📜
Type: string
""
violations.requiredLabels.parameters.labels[5].key📜
Type: string
"app.kubernetes.io/managed-by"
violations.requiredLabels.parameters.excludedResources📜
Type: list
[]
violations.requiredProbes.enabled📜
Type: bool
true
violations.requiredProbes.enforcementAction📜
Type: string
"dryrun"
violations.requiredProbes.kind📜
Type: string
"K8sRequiredProbes"
violations.requiredProbes.name📜
Type: string
"required-probes"
violations.requiredProbes.match📜
Type: object
{}
violations.requiredProbes.parameters.probeTypes[0]📜
Type: string
"tcpSocket"
violations.requiredProbes.parameters.probeTypes[1]📜
Type: string
"httpGet"
violations.requiredProbes.parameters.probeTypes[2]📜
Type: string
"exec"
violations.requiredProbes.parameters.probes[0]📜
Type: string
"readinessProbe"
violations.requiredProbes.parameters.probes[1]📜
Type: string
"livenessProbe"
violations.requiredProbes.parameters.excludedResources📜
Type: list
[]
violations.restrictedTaint.enabled📜
Type: bool
true
violations.restrictedTaint.enforcementAction📜
Type: string
"deny"
violations.restrictedTaint.kind📜
Type: string
"RestrictedTaintToleration"
violations.restrictedTaint.name📜
Type: string
"restricted-taint"
violations.restrictedTaint.match📜
Type: object
{}
violations.restrictedTaint.parameters.allowGlobalToleration📜
Type: bool
false
violations.restrictedTaint.parameters.restrictedTaint.effect📜
Type: string
"NoSchedule"
violations.restrictedTaint.parameters.restrictedTaint.key📜
Type: string
"privileged"
violations.restrictedTaint.parameters.restrictedTaint.value📜
Type: string
"true"
violations.restrictedTaint.parameters.excludedResources📜
Type: list
[]
violations.selinuxPolicy.enabled📜
Type: bool
true
violations.selinuxPolicy.enforcementAction📜
Type: string
"deny"
violations.selinuxPolicy.kind📜
Type: string
"K8sPSPSELinuxV2"
violations.selinuxPolicy.name📜
Type: string
"selinux-policy"
violations.selinuxPolicy.match📜
Type: object
{}
violations.selinuxPolicy.parameters.allowedSELinuxOptions[0].level📜
Type: string
nil
violations.selinuxPolicy.parameters.allowedSELinuxOptions[0].role📜
Type: string
nil
violations.selinuxPolicy.parameters.allowedSELinuxOptions[0].type📜
Type: string
nil
violations.selinuxPolicy.parameters.allowedSELinuxOptions[0].user📜
Type: string
nil
violations.selinuxPolicy.parameters.excludedResources📜
Type: list
[]
violations.uniqueIngressHost.enabled📜
Type: bool
true
violations.uniqueIngressHost.enforcementAction📜
Type: string
"deny"
violations.uniqueIngressHost.kind📜
Type: string
"K8sUniqueIngressHost"
violations.uniqueIngressHost.name📜
Type: string
"unique-ingress-hosts"
violations.uniqueIngressHost.match📜
Type: object
{}
violations.uniqueIngressHost.parameters.excludedResources📜
Type: list
[]
violations.volumeTypes.enabled📜
Type: bool
true
violations.volumeTypes.enforcementAction📜
Type: string
"deny"
violations.volumeTypes.kind📜
Type: string
"K8sPSPVolumeTypes"
violations.volumeTypes.name📜
Type: string
"volume-types"
violations.volumeTypes.match📜
Type: object
{}
violations.volumeTypes.parameters.volumes[0]📜
Type: string
"configMap"
violations.volumeTypes.parameters.volumes[1]📜
Type: string
"emptyDir"
violations.volumeTypes.parameters.volumes[2]📜
Type: string
"projected"
violations.volumeTypes.parameters.volumes[3]📜
Type: string
"secret"
violations.volumeTypes.parameters.volumes[4]📜
Type: string
"downwardAPI"
violations.volumeTypes.parameters.volumes[5]📜
Type: string
"persistentVolumeClaim"
violations.volumeTypes.parameters.excludedResources📜
Type: list
[]
monitoring.enabled📜
Type: bool
false
networkPolicies.enabled📜
Type: bool
false
networkPolicies.controlPlaneCidr📜
Type: string
"0.0.0.0/0"
networkPolicies.additionalPolicies📜
Type: list
[]
bbtests.enabled📜
Type: bool
true
bbtests.scripts.image📜
Type: string
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.29.6"
bbtests.scripts.securityContext.allowPrivilegeEscalation📜
Type: bool
false
bbtests.scripts.securityContext.capabilities.drop[0]📜
Type: string
"ALL"
bbtests.scripts.securityContext.readOnlyRootFilesystem📜
Type: bool
true
bbtests.scripts.securityContext.runAsGroup📜
Type: int
999
bbtests.scripts.securityContext.runAsNonRoot📜
Type: bool
true
bbtests.scripts.securityContext.runAsUser📜
Type: int
1000
bbtests.scripts.additionalVolumeMounts[0].name📜
Type: string
"{{ .Chart.Name }}-test-config"
bbtests.scripts.additionalVolumeMounts[0].mountPath📜
Type: string
"/yaml"
bbtests.scripts.additionalVolumeMounts[1].name📜
Type: string
"{{ .Chart.Name }}-kube-cache"
bbtests.scripts.additionalVolumeMounts[1].mountPath📜
Type: string
"/.kube/cache"
bbtests.scripts.additionalVolumes[0].name📜
Type: string
"{{ .Chart.Name }}-test-config"
bbtests.scripts.additionalVolumes[0].configMap.name📜
Type: string
"{{ .Chart.Name }}-test-config"
bbtests.scripts.additionalVolumes[1].name📜
Type: string
"{{ .Chart.Name }}-kube-cache"
bbtests.scripts.additionalVolumes[1].emptyDir📜
Type: object
{}
serviceAccount.gatekeeperAdmin.create📜
Type: bool
true