Skip to content

policy values.yaml📜

openshift📜

Type: bool

Default value
false

replicas📜

Type: int

Default value
3

revisionHistoryLimit📜

Type: int

Default value
10

auditInterval📜

Type: int

Default value
60

metricsBackends[0]📜

Type: string

Default value
"prometheus"

auditMatchKindOnly📜

Type: bool

Default value
true

constraintViolationsLimit📜

Type: int

Default value
1000

auditFromCache📜

Type: bool

Default value
false

disableMutation📜

Type: bool

Default value
true

disableAudit📜

Type: bool

Default value
false

disableValidatingWebhook📜

Type: bool

Default value
false

validatingWebhookName📜

Type: string

Default value
"gatekeeper-validating-webhook-configuration"

validatingWebhookTimeoutSeconds📜

Type: int

Default value
15

validatingWebhookFailurePolicy📜

Type: string

Default value
"Ignore"

validatingWebhookAnnotations📜

Type: object

Default value
{}

validatingWebhookExemptNamespacesLabels📜

Type: object

Default value
{}

validatingWebhookObjectSelector📜

Type: object

Default value
{}

validatingWebhookMatchConditions📜

Type: list

Default value
[]

validatingWebhookCheckIgnoreFailurePolicy📜

Type: string

Default value
"Fail"

validatingWebhookCustomRules📜

Type: object

Default value
{}

validatingWebhookURL📜

Type: string

Default value
nil

enableDeleteOperations📜

Type: bool

Default value
false

enableExternalData📜

Type: bool

Default value
true

enableGeneratorResourceExpansion📜

Type: bool

Default value
true

enableTLSHealthcheck📜

Type: bool

Default value
false

maxServingThreads📜

Type: int

Default value
-1

mutatingWebhookName📜

Type: string

Default value
"gatekeeper-mutating-webhook-configuration"

mutatingWebhookFailurePolicy📜

Type: string

Default value
"Ignore"

mutatingWebhookReinvocationPolicy📜

Type: string

Default value
"Never"

mutatingWebhookAnnotations📜

Type: object

Default value
{}

mutatingWebhookExemptNamespacesLabels📜

Type: object

Default value
{}

mutatingWebhookObjectSelector📜

Type: object

Default value
{}

mutatingWebhookMatchConditions📜

Type: list

Default value
[]

mutatingWebhookTimeoutSeconds📜

Type: int

Default value
1

mutatingWebhookCustomRules📜

Type: object

Default value
{}

mutatingWebhookURL📜

Type: string

Default value
nil

mutationAnnotations📜

Type: bool

Default value
false

auditChunkSize📜

Type: int

Default value
500

logLevel📜

Type: string

Default value
"INFO"

logDenies📜

Type: bool

Default value
true

logMutations📜

Type: bool

Default value
true

emitAdmissionEvents📜

Type: bool

Default value
false

emitAuditEvents📜

Type: bool

Default value
false

admissionEventsInvolvedNamespace📜

Type: bool

Default value
false

auditEventsInvolvedNamespace📜

Type: bool

Default value
false

resourceQuota📜

Type: bool

Default value
true

externaldataProviderResponseCacheTTL📜

Type: string

Default value
"3m"

enableK8sNativeValidation📜

Type: bool

Default value
false

vapEnforcement📜

Type: string

Default value
"GATEKEEPER_DEFAULT"

image.repository📜

Type: string

Default value
"registry1.dso.mil/ironbank/opensource/openpolicyagent/gatekeeper"

image.release📜

Type: string

Default value
"v3.16.3"

image.pullPolicy📜

Type: string

Default value
"IfNotPresent"

image.pullSecrets[0].name📜

Type: string

Default value
"private-registry"

image.crdRepository📜

Type: string

Default value
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl"

image.crdRelease📜

Type: string

Default value
"v1.29.5"

preInstall.crdRepository.image.repository📜

Type: string

Default value
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl"

preInstall.crdRepository.image.tag📜

Type: string

Default value
"v1.29.5"

preInstall.securityContext.allowPrivilegeEscalation📜

Type: bool

Default value
false

preInstall.securityContext.capabilities.drop[0]📜

Type: string

Default value
"ALL"

preInstall.securityContext.readOnlyRootFilesystem📜

Type: bool

Default value
true

preInstall.securityContext.runAsGroup📜

Type: int

Default value
999

preInstall.securityContext.runAsNonRoot📜

Type: bool

Default value
true

preInstall.securityContext.runAsUser📜

Type: int

Default value
1000

postUpgrade.labelNamespace.enabled📜

Type: bool

Default value
false

postUpgrade.labelNamespace.image.repository📜

Type: string

Default value
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl"

postUpgrade.labelNamespace.image.tag📜

Type: string

Default value
"v1.29.5"

postUpgrade.labelNamespace.image.pullPolicy📜

Type: string

Default value
"IfNotPresent"

postUpgrade.labelNamespace.image.pullSecrets📜

Type: list

Default value
[]

postUpgrade.labelNamespace.extraNamespaces📜

Type: list

Default value
[]

postUpgrade.labelNamespace.podSecurity📜

Type: list

Default value
[]

postUpgrade.labelNamespace.extraAnnotations📜

Type: object

Default value
{}

postUpgrade.labelNamespace.priorityClassName📜

Type: string

Default value
""

postUpgrade.affinity📜

Type: object

Default value
{}

postUpgrade.tolerations📜

Type: list

Default value
[]

postUpgrade.nodeSelector.”kubernetes.io/os”📜

Type: string

Default value
"linux"

postUpgrade.resources📜

Type: object

Default value
{}

postUpgrade.securityContext.allowPrivilegeEscalation📜

Type: bool

Default value
false

postUpgrade.securityContext.capabilities.drop[0]📜

Type: string

Default value
"ALL"

postUpgrade.securityContext.readOnlyRootFilesystem📜

Type: bool

Default value
true

postUpgrade.securityContext.runAsGroup📜

Type: int

Default value
999

postUpgrade.securityContext.runAsNonRoot📜

Type: bool

Default value
true

postUpgrade.securityContext.runAsUser📜

Type: int

Default value
1000

postInstall.labelNamespace.enabled📜

Type: bool

Default value
true

postInstall.labelNamespace.extraRules📜

Type: list

Default value
[]

postInstall.labelNamespace.image.repository📜

Type: string

Default value
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl"

postInstall.labelNamespace.image.tag📜

Type: string

Default value
"v1.29.5"

postInstall.labelNamespace.image.pullPolicy📜

Type: string

Default value
"IfNotPresent"

postInstall.labelNamespace.image.pullSecrets📜

Type: list

Default value
[]

postInstall.labelNamespace.extraNamespaces📜

Type: list

Default value
[]

postInstall.labelNamespace.podSecurity📜

Type: list

Default value
[]

postInstall.labelNamespace.extraAnnotations📜

Type: object

Default value
{}

postInstall.labelNamespace.priorityClassName📜

Type: string

Default value
""

postInstall.probeWebhook.enabled📜

Type: bool

Default value
true

postInstall.probeWebhook.image.repository📜

Type: string

Default value
"registry1.dso.mil/ironbank/big-bang/base"

postInstall.probeWebhook.image.tag📜

Type: string

Default value
"2.1.0"

postInstall.probeWebhook.image.pullPolicy📜

Type: string

Default value
"IfNotPresent"

postInstall.probeWebhook.image.pullSecrets📜

Type: list

Default value
[]

postInstall.probeWebhook.waitTimeout📜

Type: int

Default value
60

postInstall.probeWebhook.httpTimeout📜

Type: int

Default value
2

postInstall.probeWebhook.insecureHTTPS📜

Type: bool

Default value
false

postInstall.probeWebhook.priorityClassName📜

Type: string

Default value
""

postInstall.affinity📜

Type: object

Default value
{}

postInstall.tolerations📜

Type: list

Default value
[]

postInstall.nodeSelector.”kubernetes.io/os”📜

Type: string

Default value
"linux"

postInstall.securityContext.allowPrivilegeEscalation📜

Type: bool

Default value
false

postInstall.securityContext.capabilities.drop[0]📜

Type: string

Default value
"ALL"

postInstall.securityContext.readOnlyRootFilesystem📜

Type: bool

Default value
true

postInstall.securityContext.runAsGroup📜

Type: int

Default value
999

postInstall.securityContext.runAsNonRoot📜

Type: bool

Default value
true

postInstall.securityContext.runAsUser📜

Type: int

Default value
1000

preUninstall.deleteWebhookConfigurations.extraRules📜

Type: list

Default value
[]

preUninstall.deleteWebhookConfigurations.enabled📜

Type: bool

Default value
false

preUninstall.deleteWebhookConfigurations.image.repository📜

Type: string

Default value
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl"

preUninstall.deleteWebhookConfigurations.image.tag📜

Type: string

Default value
"v1.29.5"

preUninstall.deleteWebhookConfigurations.image.pullPolicy📜

Type: string

Default value
"IfNotPresent"

preUninstall.deleteWebhookConfigurations.image.pullSecrets📜

Type: list

Default value
[]

preUninstall.deleteWebhookConfigurations.priorityClassName📜

Type: string

Default value
""

preUninstall.affinity📜

Type: object

Default value
{}

preUninstall.tolerations📜

Type: list

Default value
[]

preUninstall.nodeSelector.”kubernetes.io/os”📜

Type: string

Default value
"linux"

preUninstall.resources📜

Type: object

Default value
{}

preUninstall.securityContext.allowPrivilegeEscalation📜

Type: bool

Default value
false

preUninstall.securityContext.capabilities.drop[0]📜

Type: string

Default value
"ALL"

preUninstall.securityContext.readOnlyRootFilesystem📜

Type: bool

Default value
true

preUninstall.securityContext.runAsGroup📜

Type: int

Default value
999

preUninstall.securityContext.runAsNonRoot📜

Type: bool

Default value
true

preUninstall.securityContext.runAsUser📜

Type: int

Default value
1000

podAnnotations.”container.seccomp.security.alpha.kubernetes.io/manager”📜

Type: string

Default value
"runtime/default"

auditPodAnnotations📜

Type: object

Default value
{}

podLabels📜

Type: object

Default value
{}

podCountLimit📜

Type: string

Default value
"100"

secretAnnotations📜

Type: object

Default value
{}

enableRuntimeDefaultSeccompProfile📜

Type: bool

Default value
true

controllerManager.exemptNamespaces📜

Type: list

Default value
[]

controllerManager.exemptNamespacePrefixes📜

Type: list

Default value
[]

controllerManager.hostNetwork📜

Type: bool

Default value
false

controllerManager.dnsPolicy📜

Type: string

Default value
"ClusterFirst"

controllerManager.port📜

Type: int

Default value
8443

controllerManager.metricsPort📜

Type: int

Default value
8888

controllerManager.healthPort📜

Type: int

Default value
9090

controllerManager.readinessTimeout📜

Type: int

Default value
1

controllerManager.livenessTimeout📜

Type: int

Default value
1

controllerManager.priorityClassName📜

Type: string

Default value
"system-cluster-critical"

controllerManager.disableCertRotation📜

Type: bool

Default value
false

controllerManager.tlsMinVersion📜

Type: float

Default value
1.3

controllerManager.clientCertName📜

Type: string

Default value
""

controllerManager.strategyType📜

Type: string

Default value
"RollingUpdate"

controllerManager.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.labelSelector.matchExpressions[0].key📜

Type: string

Default value
"gatekeeper.sh/operation"

controllerManager.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.labelSelector.matchExpressions[0].operator📜

Type: string

Default value
"In"

controllerManager.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.labelSelector.matchExpressions[0].values[0]📜

Type: string

Default value
"webhook"

controllerManager.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.topologyKey📜

Type: string

Default value
"kubernetes.io/hostname"

controllerManager.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].weight📜

Type: int

Default value
100

controllerManager.topologySpreadConstraints📜

Type: list

Default value
[]

controllerManager.tolerations📜

Type: list

Default value
[]

controllerManager.nodeSelector.”kubernetes.io/os”📜

Type: string

Default value
"linux"

controllerManager.resources.limits.cpu📜

Type: string

Default value
"175m"

controllerManager.resources.limits.memory📜

Type: string

Default value
"512Mi"

controllerManager.resources.requests.cpu📜

Type: string

Default value
"175m"

controllerManager.resources.requests.memory📜

Type: string

Default value
"512Mi"

controllerManager.securityContext.allowPrivilegeEscalation📜

Type: bool

Default value
false

controllerManager.securityContext.capabilities.drop[0]📜

Type: string

Default value
"ALL"

controllerManager.securityContext.readOnlyRootFilesystem📜

Type: bool

Default value
true

controllerManager.securityContext.runAsGroup📜

Type: int

Default value
999

controllerManager.securityContext.runAsNonRoot📜

Type: bool

Default value
true

controllerManager.securityContext.runAsUser📜

Type: int

Default value
1000

controllerManager.podSecurityContext.fsGroup📜

Type: int

Default value
999

controllerManager.podSecurityContext.supplementalGroups[0]📜

Type: int

Default value
999

controllerManager.extraRules📜

Type: list

Default value
[]

controllerManager.networkPolicy.enabled📜

Type: bool

Default value
false

controllerManager.networkPolicy.ingress📜

Type: object

Default value
{}

audit.enablePubsub📜

Type: bool

Default value
false

audit.hostNetwork📜

Type: bool

Default value
false

audit.dnsPolicy📜

Type: string

Default value
"ClusterFirst"

audit.metricsPort📜

Type: int

Default value
8888

audit.healthPort📜

Type: int

Default value
9090

audit.readinessTimeout📜

Type: int

Default value
1

audit.livenessTimeout📜

Type: int

Default value
1

audit.priorityClassName📜

Type: string

Default value
"system-cluster-critical"

audit.disableCertRotation📜

Type: bool

Default value
false

audit.affinity📜

Type: object

Default value
{}

audit.tolerations📜

Type: list

Default value
[]

audit.nodeSelector.”kubernetes.io/os”📜

Type: string

Default value
"linux"

audit.resources.limits.cpu📜

Type: float

Default value
1.2

audit.resources.limits.memory📜

Type: string

Default value
"768Mi"

audit.resources.requests.cpu📜

Type: float

Default value
1.2

audit.resources.requests.memory📜

Type: string

Default value
"768Mi"

audit.securityContext.allowPrivilegeEscalation📜

Type: bool

Default value
false

audit.securityContext.capabilities.drop[0]📜

Type: string

Default value
"ALL"

audit.securityContext.readOnlyRootFilesystem📜

Type: bool

Default value
true

audit.securityContext.runAsGroup📜

Type: int

Default value
999

audit.securityContext.runAsNonRoot📜

Type: bool

Default value
true

audit.securityContext.runAsUser📜

Type: int

Default value
1000

audit.podSecurityContext.fsGroup📜

Type: int

Default value
999

audit.podSecurityContext.supplementalGroups[0]📜

Type: int

Default value
999

audit.writeToRAMDisk📜

Type: bool

Default value
false

audit.extraRules📜

Type: list

Default value
[]

crds.affinity📜

Type: object

Default value
{}

crds.tolerations📜

Type: list

Default value
[]

crds.nodeSelector.”kubernetes.io/os”📜

Type: string

Default value
"linux"

crds.resources📜

Type: object

Default value
{}

crds.securityContext.allowPrivilegeEscalation📜

Type: bool

Default value
false

crds.securityContext.capabilities.drop[0]📜

Type: string

Default value
"ALL"

crds.securityContext.readOnlyRootFilesystem📜

Type: bool

Default value
true

crds.securityContext.runAsGroup📜

Type: int

Default value
65532

crds.securityContext.runAsNonRoot📜

Type: bool

Default value
true

crds.securityContext.runAsUser📜

Type: int

Default value
65532

pdb.controllerManager.minAvailable📜

Type: int

Default value
1

service📜

Type: object

Default value
{}

disabledBuiltins[0]📜

Type: string

Default value
"{http.send}"

psp.enabled📜

Type: bool

Default value
false

upgradeCRDs.enabled📜

Type: bool

Default value
true

upgradeCRDs.extraRules📜

Type: list

Default value
[]

upgradeCRDs.priorityClassName📜

Type: string

Default value
""

cleanupCRDs.enabled📜

Type: bool

Default value
true

cleanupCRDs.containerSecurityContext.allowPrivilegeEscalation📜

Type: bool

Default value
false

cleanupCRDs.containerSecurityContext.capabilities.drop[0]📜

Type: string

Default value
"ALL"

cleanupCRDs.containerSecurityContext.readOnlyRootFilesystem📜

Type: bool

Default value
true

cleanupCRDs.containerSecurityContext.runAsGroup📜

Type: int

Default value
999

cleanupCRDs.containerSecurityContext.runAsNonRoot📜

Type: bool

Default value
true

cleanupCRDs.containerSecurityContext.runAsUser📜

Type: int

Default value
1000

cleanupCRDs.securityContext.readOnlyRootFilesystem📜

Type: bool

Default value
true

cleanupCRDs.securityContext.runAsGroup📜

Type: int

Default value
999

cleanupCRDs.securityContext.runAsNonRoot📜

Type: bool

Default value
true

cleanupCRDs.securityContext.runAsUser📜

Type: int

Default value
1000

cleanupCRDs.securityContext.fsGroup📜

Type: int

Default value
999

cleanupCRDs.securityContext.supplementalGroups[0]📜

Type: int

Default value
999

rbac.create📜

Type: bool

Default value
true

externalCertInjection.enabled📜

Type: bool

Default value
false

externalCertInjection.secretName📜

Type: string

Default value
"gatekeeper-webhook-server-cert"

violations.allowedAppArmorProfiles.enabled📜

Type: bool

Default value
false

violations.allowedAppArmorProfiles.enforcementAction📜

Type: string

Default value
"dryrun"

violations.allowedAppArmorProfiles.kind📜

Type: string

Default value
"K8sPSPAppArmor"

violations.allowedAppArmorProfiles.name📜

Type: string

Default value
"allowed-app-armor-profiles"

violations.allowedAppArmorProfiles.match📜

Type: object

Default value
{}

violations.allowedAppArmorProfiles.parameters.allowedProfiles[0]📜

Type: string

Default value
"runtime/default"

violations.allowedAppArmorProfiles.parameters.excludedResources📜

Type: list

Default value
[]

violations.allowedCapabilities.enabled📜

Type: bool

Default value
true

violations.allowedCapabilities.enforcementAction📜

Type: string

Default value
"dryrun"

violations.allowedCapabilities.kind📜

Type: string

Default value
"K8sPSPCapabilities"

violations.allowedCapabilities.name📜

Type: string

Default value
"allowed-capabilities"

violations.allowedCapabilities.match📜

Type: object

Default value
{}

violations.allowedCapabilities.parameters.allowedCapabilities📜

Type: list

Default value
[]

violations.allowedCapabilities.parameters.requiredDropCapabilities[0]📜

Type: string

Default value
"all"

violations.allowedCapabilities.parameters.excludedResources📜

Type: list

Default value
[]

violations.allowedDockerRegistries.enabled📜

Type: bool

Default value
true

violations.allowedDockerRegistries.enforcementAction📜

Type: string

Default value
"deny"

violations.allowedDockerRegistries.kind📜

Type: string

Default value
"K8sAllowedRepos"

violations.allowedDockerRegistries.name📜

Type: string

Default value
"allowed-docker-registries"

violations.allowedDockerRegistries.match📜

Type: object

Default value
{}

violations.allowedDockerRegistries.parameters.repos[0]📜

Type: string

Default value
"registry1.dso.mil"

violations.allowedDockerRegistries.parameters.excludedResources📜

Type: list

Default value
[]

violations.allowedFlexVolumes.enabled📜

Type: bool

Default value
true

violations.allowedFlexVolumes.enforcementAction📜

Type: string

Default value
"deny"

violations.allowedFlexVolumes.kind📜

Type: string

Default value
"K8sPSPFlexVolumes"

violations.allowedFlexVolumes.name📜

Type: string

Default value
"allowed-flex-volumes"

violations.allowedFlexVolumes.match📜

Type: object

Default value
{}

violations.allowedFlexVolumes.parameters.allowedFlexVolumes📜

Type: list

Default value
[]

violations.allowedFlexVolumes.parameters.excludedResources📜

Type: list

Default value
[]

violations.allowedHostFilesystem.enabled📜

Type: bool

Default value
true

violations.allowedHostFilesystem.enforcementAction📜

Type: string

Default value
"deny"

violations.allowedHostFilesystem.kind📜

Type: string

Default value
"K8sPSPHostFilesystem"

violations.allowedHostFilesystem.name📜

Type: string

Default value
"allowed-host-filesystem"

violations.allowedHostFilesystem.match📜

Type: object

Default value
{}

violations.allowedHostFilesystem.parameters.allowedHostPaths📜

Type: list

Default value
[]

violations.allowedHostFilesystem.parameters.excludedResources📜

Type: list

Default value
[]

violations.allowedIPs.enabled📜

Type: bool

Default value
true

violations.allowedIPs.enforcementAction📜

Type: string

Default value
"deny"

violations.allowedIPs.kind📜

Type: string

Default value
"K8sExternalIPs"

violations.allowedIPs.name📜

Type: string

Default value
"allowed-ips"

violations.allowedIPs.match📜

Type: object

Default value
{}

violations.allowedIPs.parameters.allowedIPs📜

Type: list

Default value
[]

violations.allowedIPs.parameters.excludedResources📜

Type: list

Default value
[]

violations.allowedProcMount.enabled📜

Type: bool

Default value
true

violations.allowedProcMount.enforcementAction📜

Type: string

Default value
"deny"

violations.allowedProcMount.kind📜

Type: string

Default value
"K8sPSPProcMount"

violations.allowedProcMount.name📜

Type: string

Default value
"allowed-proc-mount"

violations.allowedProcMount.match📜

Type: object

Default value
{}

violations.allowedProcMount.parameters.procMount📜

Type: string

Default value
"Default"

violations.allowedProcMount.parameters.excludedResources📜

Type: list

Default value
[]

violations.allowedSecCompProfiles.enabled📜

Type: bool

Default value
true

violations.allowedSecCompProfiles.enforcementAction📜

Type: string

Default value
"dryrun"

violations.allowedSecCompProfiles.kind📜

Type: string

Default value
"K8sPSPSeccomp"

violations.allowedSecCompProfiles.name📜

Type: string

Default value
"allowed-sec-comp-profiles"

violations.allowedSecCompProfiles.match📜

Type: object

Default value
{}

violations.allowedSecCompProfiles.parameters.allowedProfiles[0]📜

Type: string

Default value
"runtime/default"

violations.allowedSecCompProfiles.parameters.excludedResources📜

Type: list

Default value
[]

violations.allowedUsers.enabled📜

Type: bool

Default value
true

violations.allowedUsers.enforcementAction📜

Type: string

Default value
"dryrun"

violations.allowedUsers.kind📜

Type: string

Default value
"K8sPSPAllowedUsers"

violations.allowedUsers.name📜

Type: string

Default value
"allowed-users"

violations.allowedUsers.match📜

Type: object

Default value
{}

violations.allowedUsers.parameters.runAsUser.rule📜

Type: string

Default value
"MustRunAsNonRoot"

violations.allowedUsers.parameters.fsGroup.rule📜

Type: string

Default value
"MustRunAs"

violations.allowedUsers.parameters.fsGroup.ranges[0].min📜

Type: int

Default value
1000

violations.allowedUsers.parameters.fsGroup.ranges[0].max📜

Type: int

Default value
65535

violations.allowedUsers.parameters.runAsGroup.rule📜

Type: string

Default value
"MustRunAs"

violations.allowedUsers.parameters.runAsGroup.ranges[0].min📜

Type: int

Default value
1000

violations.allowedUsers.parameters.runAsGroup.ranges[0].max📜

Type: int

Default value
65535

violations.allowedUsers.parameters.supplementalGroups.rule📜

Type: string

Default value
"MustRunAs"

violations.allowedUsers.parameters.supplementalGroups.ranges[0].min📜

Type: int

Default value
1000

violations.allowedUsers.parameters.supplementalGroups.ranges[0].max📜

Type: int

Default value
65535

violations.allowedUsers.parameters.excludedResources📜

Type: list

Default value
[]

violations.bannedImageTags.enabled📜

Type: bool

Default value
true

violations.bannedImageTags.enforcementAction📜

Type: string

Default value
"deny"

violations.bannedImageTags.kind📜

Type: string

Default value
"K8sBannedImageTags"

violations.bannedImageTags.name📜

Type: string

Default value
"banned-image-tags"

violations.bannedImageTags.match📜

Type: object

Default value
{}

violations.bannedImageTags.parameters.tags[0]📜

Type: string

Default value
"latest"

violations.bannedImageTags.parameters.excludedResources📜

Type: list

Default value
[]

violations.blockNodePort.enabled📜

Type: bool

Default value
true

violations.blockNodePort.enforcementAction📜

Type: string

Default value
"dryrun"

violations.blockNodePort.kind📜

Type: string

Default value
"K8sBlockNodePort"

violations.blockNodePort.name📜

Type: string

Default value
"block-node-ports"

violations.blockNodePort.match📜

Type: object

Default value
{}

violations.blockNodePort.parameters.excludedResources📜

Type: list

Default value
[]

violations.containerRatio.enabled📜

Type: bool

Default value
true

violations.containerRatio.enforcementAction📜

Type: string

Default value
"dryrun"

violations.containerRatio.kind📜

Type: string

Default value
"K8sContainerRatios"

violations.containerRatio.name📜

Type: string

Default value
"container-ratios"

violations.containerRatio.match📜

Type: object

Default value
{}

violations.containerRatio.parameters.ratio📜

Type: string

Default value
"2"

violations.containerRatio.parameters.excludedResources📜

Type: list

Default value
[]

violations.hostNetworking.enabled📜

Type: bool

Default value
true

violations.hostNetworking.enforcementAction📜

Type: string

Default value
"deny"

violations.hostNetworking.kind📜

Type: string

Default value
"K8sPSPHostNetworkingPorts"

violations.hostNetworking.name📜

Type: string

Default value
"host-networking"

violations.hostNetworking.match📜

Type: object

Default value
{}

violations.hostNetworking.parameters.hostNetwork📜

Type: bool

Default value
false

violations.hostNetworking.parameters.min📜

Type: int

Default value
0

violations.hostNetworking.parameters.max📜

Type: int

Default value
0

violations.hostNetworking.parameters.excludedResources📜

Type: list

Default value
[]

violations.httpsOnly.enabled📜

Type: bool

Default value
true

violations.httpsOnly.enforcementAction📜

Type: string

Default value
"deny"

violations.httpsOnly.kind📜

Type: string

Default value
"K8sHttpsOnly2"

violations.httpsOnly.name📜

Type: string

Default value
"https-only"

violations.httpsOnly.match📜

Type: object

Default value
{}

violations.httpsOnly.parameters.excludedResources📜

Type: list

Default value
[]

violations.imageDigest.enabled📜

Type: bool

Default value
true

violations.imageDigest.enforcementAction📜

Type: string

Default value
"dryrun"

violations.imageDigest.kind📜

Type: string

Default value
"K8sImageDigests2"

violations.imageDigest.name📜

Type: string

Default value
"image-digest"

violations.imageDigest.match📜

Type: object

Default value
{}

violations.imageDigest.parameters.excludedResources📜

Type: list

Default value
[]

violations.namespacesHaveIstio.enabled📜

Type: bool

Default value
true

violations.namespacesHaveIstio.enforcementAction📜

Type: string

Default value
"dryrun"

violations.namespacesHaveIstio.kind📜

Type: string

Default value
"K8sRequiredLabelValues"

violations.namespacesHaveIstio.name📜

Type: string

Default value
"namespaces-have-istio"

violations.namespacesHaveIstio.match.namespaceSelector.matchExpressions[0].key📜

Type: string

Default value
"admission.gatekeeper.sh/ignore"

violations.namespacesHaveIstio.match.namespaceSelector.matchExpressions[0].operator📜

Type: string

Default value
"DoesNotExist"

violations.namespacesHaveIstio.parameters.labels[0].allowedRegex📜

Type: string

Default value
"^enabled"

violations.namespacesHaveIstio.parameters.labels[0].key📜

Type: string

Default value
"istio-injection"

violations.namespacesHaveIstio.parameters.excludedResources📜

Type: list

Default value
[]

violations.noBigContainers.enabled📜

Type: bool

Default value
true

violations.noBigContainers.enforcementAction📜

Type: string

Default value
"dryrun"

violations.noBigContainers.kind📜

Type: string

Default value
"K8sContainerLimits"

violations.noBigContainers.name📜

Type: string

Default value
"no-big-container"

violations.noBigContainers.match📜

Type: object

Default value
{}

violations.noBigContainers.parameters.cpu📜

Type: string

Default value
"2000m"

violations.noBigContainers.parameters.memory📜

Type: string

Default value
"4G"

violations.noBigContainers.parameters.excludedResources📜

Type: list

Default value
[]

violations.noHostNamespace.enabled📜

Type: bool

Default value
true

violations.noHostNamespace.enforcementAction📜

Type: string

Default value
"deny"

violations.noHostNamespace.kind📜

Type: string

Default value
"K8sPSPHostNamespace2"

violations.noHostNamespace.name📜

Type: string

Default value
"no-host-namespace"

violations.noHostNamespace.match📜

Type: object

Default value
{}

violations.noHostNamespace.parameters.excludedResources📜

Type: list

Default value
[]

violations.noPrivilegedContainers.enabled📜

Type: bool

Default value
true

violations.noPrivilegedContainers.enforcementAction📜

Type: string

Default value
"deny"

violations.noPrivilegedContainers.kind📜

Type: string

Default value
"K8sPSPPrivilegedContainer2"

violations.noPrivilegedContainers.name📜

Type: string

Default value
"no-privileged-containers"

violations.noPrivilegedContainers.match📜

Type: object

Default value
{}

violations.noPrivilegedContainers.parameters.excludedResources📜

Type: list

Default value
[]

violations.noDefaultServiceAccount.enabled📜

Type: bool

Default value
true

violations.noDefaultServiceAccount.enforcementAction📜

Type: string

Default value
"dryrun"

violations.noDefaultServiceAccount.kind📜

Type: string

Default value
"K8sDenySADefault"

violations.noDefaultServiceAccount.name📜

Type: string

Default value
"no-default-service-account"

violations.noDefaultServiceAccount.match📜

Type: object

Default value
{}

violations.noDefaultServiceAccount.parameters.excludedResources📜

Type: list

Default value
[]

violations.noPrivilegedEscalation.enabled📜

Type: bool

Default value
true

violations.noPrivilegedEscalation.enforcementAction📜

Type: string

Default value
"dryrun"

violations.noPrivilegedEscalation.kind📜

Type: string

Default value
"K8sPSPAllowPrivilegeEscalationContainer2"

violations.noPrivilegedEscalation.name📜

Type: string

Default value
"no-privileged-escalation"

violations.noPrivilegedEscalation.match📜

Type: object

Default value
{}

violations.noPrivilegedEscalation.parameters.excludedResources📜

Type: list

Default value
[]

violations.noSysctls.enabled📜

Type: bool

Default value
true

violations.noSysctls.enforcementAction📜

Type: string

Default value
"deny"

violations.noSysctls.kind📜

Type: string

Default value
"K8sPSPForbiddenSysctls"

violations.noSysctls.name📜

Type: string

Default value
"no-sysctls"

violations.noSysctls.match📜

Type: object

Default value
{}

violations.noSysctls.parameters.forbiddenSysctls[0]📜

Type: string

Default value
"*"

violations.noSysctls.parameters.excludedResources📜

Type: list

Default value
[]

violations.podsHaveIstio.enabled📜

Type: bool

Default value
true

violations.podsHaveIstio.enforcementAction📜

Type: string

Default value
"dryrun"

violations.podsHaveIstio.kind📜

Type: string

Default value
"K8sNoAnnotationValues"

violations.podsHaveIstio.name📜

Type: string

Default value
"pods-have-istio"

violations.podsHaveIstio.match📜

Type: object

Default value
{}

violations.podsHaveIstio.parameters.annotations[0].disallowedRegex📜

Type: string

Default value
"^false"

violations.podsHaveIstio.parameters.annotations[0].key📜

Type: string

Default value
"sidecar.istio.io/inject"

violations.podsHaveIstio.parameters.excludedResources📜

Type: list

Default value
[]

violations.readOnlyRoot.enabled📜

Type: bool

Default value
true

violations.readOnlyRoot.enforcementAction📜

Type: string

Default value
"dryrun"

violations.readOnlyRoot.kind📜

Type: string

Default value
"K8sPSPReadOnlyRootFilesystem2"

violations.readOnlyRoot.name📜

Type: string

Default value
"read-only-root"

violations.readOnlyRoot.match📜

Type: object

Default value
{}

violations.readOnlyRoot.parameters.excludedResources📜

Type: list

Default value
[]

violations.requiredLabels.enabled📜

Type: bool

Default value
true

violations.requiredLabels.enforcementAction📜

Type: string

Default value
"dryrun"

violations.requiredLabels.kind📜

Type: string

Default value
"K8sRequiredLabelValues"

violations.requiredLabels.name📜

Type: string

Default value
"required-labels"

violations.requiredLabels.match📜

Type: object

Default value
{}

violations.requiredLabels.parameters.labels[0].allowedRegex📜

Type: string

Default value
""

violations.requiredLabels.parameters.labels[0].key📜

Type: string

Default value
"app.kubernetes.io/name"

violations.requiredLabels.parameters.labels[1].allowedRegex📜

Type: string

Default value
""

violations.requiredLabels.parameters.labels[1].key📜

Type: string

Default value
"app.kubernetes.io/instance"

violations.requiredLabels.parameters.labels[2].allowedRegex📜

Type: string

Default value
""

violations.requiredLabels.parameters.labels[2].key📜

Type: string

Default value
"app.kubernetes.io/version"

violations.requiredLabels.parameters.labels[3].allowedRegex📜

Type: string

Default value
""

violations.requiredLabels.parameters.labels[3].key📜

Type: string

Default value
"app.kubernetes.io/component"

violations.requiredLabels.parameters.labels[4].allowedRegex📜

Type: string

Default value
""

violations.requiredLabels.parameters.labels[4].key📜

Type: string

Default value
"app.kubernetes.io/part-of"

violations.requiredLabels.parameters.labels[5].allowedRegex📜

Type: string

Default value
""

violations.requiredLabels.parameters.labels[5].key📜

Type: string

Default value
"app.kubernetes.io/managed-by"

violations.requiredLabels.parameters.excludedResources📜

Type: list

Default value
[]

violations.requiredProbes.enabled📜

Type: bool

Default value
true

violations.requiredProbes.enforcementAction📜

Type: string

Default value
"dryrun"

violations.requiredProbes.kind📜

Type: string

Default value
"K8sRequiredProbes"

violations.requiredProbes.name📜

Type: string

Default value
"required-probes"

violations.requiredProbes.match📜

Type: object

Default value
{}

violations.requiredProbes.parameters.probeTypes[0]📜

Type: string

Default value
"tcpSocket"

violations.requiredProbes.parameters.probeTypes[1]📜

Type: string

Default value
"httpGet"

violations.requiredProbes.parameters.probeTypes[2]📜

Type: string

Default value
"exec"

violations.requiredProbes.parameters.probes[0]📜

Type: string

Default value
"readinessProbe"

violations.requiredProbes.parameters.probes[1]📜

Type: string

Default value
"livenessProbe"

violations.requiredProbes.parameters.excludedResources📜

Type: list

Default value
[]

violations.restrictedTaint.enabled📜

Type: bool

Default value
true

violations.restrictedTaint.enforcementAction📜

Type: string

Default value
"deny"

violations.restrictedTaint.kind📜

Type: string

Default value
"RestrictedTaintToleration"

violations.restrictedTaint.name📜

Type: string

Default value
"restricted-taint"

violations.restrictedTaint.match📜

Type: object

Default value
{}

violations.restrictedTaint.parameters.allowGlobalToleration📜

Type: bool

Default value
false

violations.restrictedTaint.parameters.restrictedTaint.effect📜

Type: string

Default value
"NoSchedule"

violations.restrictedTaint.parameters.restrictedTaint.key📜

Type: string

Default value
"privileged"

violations.restrictedTaint.parameters.restrictedTaint.value📜

Type: string

Default value
"true"

violations.restrictedTaint.parameters.excludedResources📜

Type: list

Default value
[]

violations.selinuxPolicy.enabled📜

Type: bool

Default value
true

violations.selinuxPolicy.enforcementAction📜

Type: string

Default value
"deny"

violations.selinuxPolicy.kind📜

Type: string

Default value
"K8sPSPSELinuxV2"

violations.selinuxPolicy.name📜

Type: string

Default value
"selinux-policy"

violations.selinuxPolicy.match📜

Type: object

Default value
{}

violations.selinuxPolicy.parameters.allowedSELinuxOptions[0].level📜

Type: string

Default value
nil

violations.selinuxPolicy.parameters.allowedSELinuxOptions[0].role📜

Type: string

Default value
nil

violations.selinuxPolicy.parameters.allowedSELinuxOptions[0].type📜

Type: string

Default value
nil

violations.selinuxPolicy.parameters.allowedSELinuxOptions[0].user📜

Type: string

Default value
nil

violations.selinuxPolicy.parameters.excludedResources📜

Type: list

Default value
[]

violations.uniqueIngressHost.enabled📜

Type: bool

Default value
true

violations.uniqueIngressHost.enforcementAction📜

Type: string

Default value
"deny"

violations.uniqueIngressHost.kind📜

Type: string

Default value
"K8sUniqueIngressHost"

violations.uniqueIngressHost.name📜

Type: string

Default value
"unique-ingress-hosts"

violations.uniqueIngressHost.match📜

Type: object

Default value
{}

violations.uniqueIngressHost.parameters.excludedResources📜

Type: list

Default value
[]

violations.volumeTypes.enabled📜

Type: bool

Default value
true

violations.volumeTypes.enforcementAction📜

Type: string

Default value
"deny"

violations.volumeTypes.kind📜

Type: string

Default value
"K8sPSPVolumeTypes"

violations.volumeTypes.name📜

Type: string

Default value
"volume-types"

violations.volumeTypes.match📜

Type: object

Default value
{}

violations.volumeTypes.parameters.volumes[0]📜

Type: string

Default value
"configMap"

violations.volumeTypes.parameters.volumes[1]📜

Type: string

Default value
"emptyDir"

violations.volumeTypes.parameters.volumes[2]📜

Type: string

Default value
"projected"

violations.volumeTypes.parameters.volumes[3]📜

Type: string

Default value
"secret"

violations.volumeTypes.parameters.volumes[4]📜

Type: string

Default value
"downwardAPI"

violations.volumeTypes.parameters.volumes[5]📜

Type: string

Default value
"persistentVolumeClaim"

violations.volumeTypes.parameters.excludedResources📜

Type: list

Default value
[]

monitoring.enabled📜

Type: bool

Default value
false

networkPolicies.enabled📜

Type: bool

Default value
false

networkPolicies.controlPlaneCidr📜

Type: string

Default value
"0.0.0.0/0"

networkPolicies.additionalPolicies📜

Type: list

Default value
[]

bbtests.enabled📜

Type: bool

Default value
true

bbtests.scripts.image📜

Type: string

Default value
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.29.5"

bbtests.scripts.securityContext.allowPrivilegeEscalation📜

Type: bool

Default value
false

bbtests.scripts.securityContext.capabilities.drop[0]📜

Type: string

Default value
"ALL"

bbtests.scripts.securityContext.readOnlyRootFilesystem📜

Type: bool

Default value
true

bbtests.scripts.securityContext.runAsGroup📜

Type: int

Default value
999

bbtests.scripts.securityContext.runAsNonRoot📜

Type: bool

Default value
true

bbtests.scripts.securityContext.runAsUser📜

Type: int

Default value
1000

bbtests.scripts.additionalVolumeMounts[0].name📜

Type: string

Default value
"{{ .Chart.Name }}-test-config"

bbtests.scripts.additionalVolumeMounts[0].mountPath📜

Type: string

Default value
"/yaml"

bbtests.scripts.additionalVolumeMounts[1].name📜

Type: string

Default value
"{{ .Chart.Name }}-kube-cache"

bbtests.scripts.additionalVolumeMounts[1].mountPath📜

Type: string

Default value
"/.kube/cache"

bbtests.scripts.additionalVolumes[0].name📜

Type: string

Default value
"{{ .Chart.Name }}-test-config"

bbtests.scripts.additionalVolumes[0].configMap.name📜

Type: string

Default value
"{{ .Chart.Name }}-test-config"

bbtests.scripts.additionalVolumes[1].name📜

Type: string

Default value
"{{ .Chart.Name }}-kube-cache"

bbtests.scripts.additionalVolumes[1].emptyDir📜

Type: object

Default value
{}