kyverno
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
global:
2
# -- Internal settings used with `helm template` to generate install manifest
3
# @ignored
4
templating:
5
enabled: false
6
debug: false
7
version: ~
8
image:
9
# -- (string) Global value that allows to set a single image registry across all deployments.
10
# When set, it will override any values set under `.image.registry` across the chart.
11
registry: ~
12
# -- (list) Global list of Image pull secrets
13
# When set, it will override any values set under `imagePullSecrets` under different components across the chart.
14
imagePullSecrets: []
15
# -- Resync period for informers
16
resyncPeriod: 15m
17
# -- Enable/Disable custom resource watcher to invalidate cache
18
crdWatcher: false
19
caCertificates:
20
# -- Global CA certificates to use with Kyverno deployments
21
# This value is expected to be one large string of CA certificates
22
# Individual controller values will override this global value
23
data: ~
24
# -- Global value to set single volume to be mounted for CA certificates for all deployments.
25
# Not used when `.Values.global.caCertificates.data` is defined
26
# Individual controller values will override this global value
27
volume: {}
28
# Example to use hostPath:
29
# hostPath:
30
# path: /etc/pki/tls/ca-certificates.crt
31
# type: File
32
# -- Additional container environment variables to apply to all containers and init containers
33
extraEnvVars: []
34
# Example setting proxy
35
# extraEnvVars:
36
# - name: HTTPS_PROXY
37
# value: 'https://proxy.example.com:3128'
38
39
# -- Global node labels for pod assignment. Non-global values will override the global value.
40
nodeSelector: {}
41
# -- Global List of node taints to tolerate. Non-global values will override the global value.
42
tolerations: []
43
# -- (string) Override the name of the chart
44
nameOverride: ~
45
# -- (string) Override the expanded name of the chart
46
fullnameOverride: ~
47
# -- (string) Override the namespace the chart deploys to
48
namespaceOverride: ~
49
upgrade:
50
# -- Upgrading from v2 to v3 is not allowed by default, set this to true once changes have been reviewed.
51
fromV2: false
52
apiVersionOverride:
53
# -- (string) Override api version used to create `PodDisruptionBudget`` resources.
54
# When not specified the chart will check if `policy/v1/PodDisruptionBudget` is available to
55
# determine the api version automatically.
56
podDisruptionBudget: ~
57
rbac:
58
roles:
59
# -- Aggregate ClusterRoles to Kubernetes default user-facing roles. For more information, see [User-facing roles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles)
60
aggregate:
61
admin: true
62
view: true
63
# Use openreports.io as the API group for reporting
64
openreports:
65
# -- Enable OpenReports feature in controllers
66
enabled: false
67
# -- Whether to install CRDs from the upstream OpenReports chart. Setting this to true requires enabled to also be true.
68
installCrds: false
69
# Reports Server configuration
70
reportsServer:
71
# -- Enable reports-server deployment alongside Kyverno
72
enabled: false
73
# -- Wait for reports-server to be ready before starting Kyverno components
74
waitForReady: true
75
# -- Timeout for waiting for reports-server readiness (as duration string, e.g. 300s, 5m)
76
readinessTimeout: 300s
77
# CRDs configuration
78
crds:
79
# -- Whether to have Helm install the Kyverno CRDs, if the CRDs are not installed by Helm, they must be added before policies can be created
80
install: true
81
reportsServer:
82
# -- Kyverno reports-server is used in your cluster
83
enabled: false
84
groups:
85
# -- Install CRDs in group `kyverno.io`
86
kyverno:
87
cleanuppolicies: true
88
clustercleanuppolicies: true
89
clusterpolicies: true
90
globalcontextentries: true
91
policies: true
92
policyexceptions: true
93
updaterequests: true
94
# -- Install CRDs in group `policies.kyverno.io`
95
policies:
96
validatingpolicies: true
97
policyexceptions: true
98
imagevalidatingpolicies: true
99
namespacedimagevalidatingpolicies: true
100
mutatingpolicies: true
101
namespacedmutatingpolicies: true
102
generatingpolicies: true
103
deletingpolicies: true
104
namespaceddeletingpolicies: true
105
namespacedvalidatingpolicies: true
106
# -- Install CRDs in group `reports.kyverno.io`
107
reports:
108
clusterephemeralreports: true
109
ephemeralreports: true
110
# -- Install CRDs in group `wgpolicyk8s.io`
111
wgpolicyk8s:
112
clusterpolicyreports: true
113
policyreports: true
114
# -- Additional CRDs annotations
115
annotations: {}
116
# argocd.argoproj.io/sync-options: Replace=true
117
# strategy.spinnaker.io/replace: 'true'
118
119
# -- Additional CRDs labels
120
customLabels: {}
121
migration:
122
# -- Enable CRDs migration using helm post upgrade hook
123
enabled: true
124
# -- Resources to migrate
125
resources:
126
- cleanuppolicies.kyverno.io
127
- clustercleanuppolicies.kyverno.io
128
- clusterpolicies.kyverno.io
129
- globalcontextentries.kyverno.io
130
- policies.kyverno.io
131
- policyexceptions.kyverno.io
132
- updaterequests.kyverno.io
133
# policies.kyverno.io
134
- deletingpolicies.policies.kyverno.io
135
- generatingpolicies.policies.kyverno.io
136
- imagevalidatingpolicies.policies.kyverno.io
137
- mutatingpolicies.policies.kyverno.io
138
- namespaceddeletingpolicies.policies.kyverno.io
139
- namespacedgeneratingpolicies.policies.kyverno.io
140
- namespacedimagevalidatingpolicies.policies.kyverno.io
141
- namespacedmutatingpolicies.policies.kyverno.io
142
- namespacedvalidatingpolicies.policies.kyverno.io
143
- policyexceptions.policies.kyverno.io
144
- validatingpolicies.policies.kyverno.io
145
image:
146
# -- (string) Image registry
147
registry: cgr.dev
148
defaultRegistry: reg.kyverno.io
149
# -- (string) Image repository
150
repository: chainguard-private/kyverno-cli
151
# -- (string) Image tag
152
# Defaults to appVersion in Chart.yaml if omitted
153
tag: latest@sha256:485fe86eaa7c8d9670edf62c54774cae6c9891c3de11d58e4cc9301b798c8792
154
# -- (string) Image pull policy
155
pullPolicy: IfNotPresent
156
# -- Image pull secrets
157
imagePullSecrets: []
158
# - name: secretName
159
160
# -- Security context for the pod
161
podSecurityContext: {}
162
# -- Node labels for pod assignment
163
nodeSelector: {}
164
# -- List of node taints to tolerate
165
tolerations: []
166
# -- Pod anti affinity constraints.
167
podAntiAffinity: {}
168
# -- Pod affinity constraints.
169
podAffinity: {}
170
# -- Pod labels.
171
podLabels: {}
172
# -- Pod annotations.
173
podAnnotations: {}
174
# -- Node affinity constraints.
175
nodeAffinity: {}
176
# -- Security context for the hook containers
177
securityContext:
178
runAsUser: 65534
179
runAsGroup: 65534
180
runAsNonRoot: true
181
privileged: false
182
allowPrivilegeEscalation: false
183
readOnlyRootFilesystem: true
184
capabilities:
185
drop:
186
- ALL
187
seccompProfile:
188
type: RuntimeDefault
189
podResources:
190
# -- Pod resource limits
191
limits:
192
cpu: 100m
193
memory: 256Mi
194
# -- Pod resource requests
195
requests:
196
cpu: 10m
197
memory: 64Mi
198
serviceAccount:
199
# -- Toggle automounting of the ServiceAccount
200
automountServiceAccountToken: true
201
# -- Scoped token injected into outbound APICall and CEL HTTP requests.
202
# This token carries a custom audience so that if leaked to an external service
203
# it cannot be replayed against the Kubernetes API server.
204
apiCallToken:
205
# -- Audience for the projected token used in outbound requests.
206
# Set this to the audience your receiving service validates in the OIDC token's
207
# `aud` claim. The default is `kyverno-svc.kyverno.io`, which is a Kyverno-specific
208
# audience and prevents the token from being accepted by the Kubernetes API server.
209
audience: "kyverno-svc.kyverno.io"
210
# -- Token lifetime in seconds for the projected outbound API call token.
211
# The default is `3600` (1 hour). The kubelet requests a replacement before the
212
# token expires, so lowering this reduces token lifetime while increasing rotation
213
# frequency.
214
expirationSeconds: 3600
215
# Configuration
216
config:
217
# -- Create the configmap.
218
create: true
219
# -- Preserve the configmap settings during upgrade.
220
preserve: true
221
# -- (string) The configmap name (required if `create` is `false`).
222
name: ~
223
# -- Additional annotations to add to the configmap.
224
annotations: {}
225
# -- Enable registry mutation for container images. Enabled by default.
226
enableDefaultRegistryMutation: true
227
# -- The registry hostname used for the image mutation.
228
defaultRegistry: docker.io
229
# -- Exclude groups
230
excludeGroups:
231
- system:nodes
232
# -- Exclude usernames
233
excludeUsernames: []
234
# - '!system:kube-scheduler'
235
236
# -- Exclude roles
237
excludeRoles: []
238
# -- Exclude roles
239
excludeClusterRoles: []
240
# -- Generate success events.
241
generateSuccessEvents: false
242
# -- Maximum cumulative size of context data during policy evaluation.
243
# Supports Kubernetes quantity format (e.g., 100Mi, 2Gi) or plain bytes (e.g., 2097152).
244
# Limits memory used by context variables to prevent unbounded growth.
245
# Increase if policies legitimately need large context data (e.g., processing large ConfigMaps).
246
# Set to 0 to disable the limit (not recommended for production).
247
# @default -- 2Mi
248
maxContextSize: ~
249
# -- Resource types to be skipped by the Kyverno policy engine.
250
# Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list.
251
# These are joined together without spaces, run through `tpl`, and the result is set in the config map.
252
# @default -- See [values.yaml](values.yaml)
253
resourceFilters:
254
- '[Event,*,*]'
255
- '[*/*,kube-system,*]'
256
- '[*/*,kube-public,*]'
257
- '[*/*,kube-node-lease,*]'
258
- '[Node,*,*]'
259
- '[Node/?*,*,*]'
260
- '[APIService,*,*]'
261
- '[APIService/?*,*,*]'
262
- '[TokenReview,*,*]'
263
- '[SubjectAccessReview,*,*]'
264
- '[SelfSubjectAccessReview,*,*]'
265
- '[Binding,*,*]'
266
- '[Pod/binding,*,*]'
267
- '[ReplicaSet,*,*]'
268
- '[ReplicaSet/?*,*,*]'
269
- '[EphemeralReport,*,*]'
270
- '[ClusterEphemeralReport,*,*]'
271
# exclude resources from the chart
272
- '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}]'
273
- '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}:core]'
274
- '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}:additional]'
275
- '[ClusterRole,*,{{ template "kyverno.background-controller.roleName" . }}]'
276
- '[ClusterRole,*,{{ template "kyverno.background-controller.roleName" . }}:core]'
277
- '[ClusterRole,*,{{ template "kyverno.background-controller.roleName" . }}:additional]'
278
- '[ClusterRole,*,{{ template "kyverno.cleanup-controller.roleName" . }}]'
279
- '[ClusterRole,*,{{ template "kyverno.cleanup-controller.roleName" . }}:core]'
280
- '[ClusterRole,*,{{ template "kyverno.cleanup-controller.roleName" . }}:additional]'
281
- '[ClusterRole,*,{{ template "kyverno.reports-controller.roleName" . }}]'
282
- '[ClusterRole,*,{{ template "kyverno.reports-controller.roleName" . }}:core]'
283
- '[ClusterRole,*,{{ template "kyverno.reports-controller.roleName" . }}:additional]'
284
- '[ClusterRoleBinding,*,{{ template "kyverno.admission-controller.roleName" . }}]'
285
- '[ClusterRoleBinding,*,{{ template "kyverno.background-controller.roleName" . }}]'
286
- '[ClusterRoleBinding,*,{{ template "kyverno.cleanup-controller.roleName" . }}]'
287
- '[ClusterRoleBinding,*,{{ template "kyverno.reports-controller.roleName" . }}]'
288
- '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceAccountName" . }}]'
289
- '[ServiceAccount/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceAccountName" . }}]'
290
- '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.serviceAccountName" . }}]'
291
- '[ServiceAccount/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.serviceAccountName" . }}]'
292
- '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.serviceAccountName" . }}]'
293
- '[ServiceAccount/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.serviceAccountName" . }}]'
294
- '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.serviceAccountName" . }}]'
295
- '[ServiceAccount/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.serviceAccountName" . }}]'
296
- '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.roleName" . }}]'
297
- '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.roleName" . }}]'
298
- '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.roleName" . }}]'
299
- '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.roleName" . }}]'
300
- '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.roleName" . }}]'
301
- '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.roleName" . }}]'
302
- '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.roleName" . }}]'
303
- '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.roleName" . }}]'
304
- '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.config.configMapName" . }}]'
305
- '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.config.metricsConfigMapName" . }}]'
306
- '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
307
- '[Deployment/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
308
- '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
309
- '[Deployment/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
310
- '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
311
- '[Deployment/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
312
- '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
313
- '[Deployment/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
314
- '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}-*]'
315
- '[Pod/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}-*]'
316
- '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-*]'
317
- '[Pod/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-*]'
318
- '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-*]'
319
- '[Pod/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-*]'
320
- '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-*]'
321
- '[Pod/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-*]'
322
- '[Job,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-hook-pre-delete]'
323
- '[Job/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-hook-pre-delete]'
324
- '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
325
- '[NetworkPolicy/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
326
- '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
327
- '[NetworkPolicy/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
328
- '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
329
- '[NetworkPolicy/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
330
- '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
331
- '[NetworkPolicy/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
332
- '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
333
- '[PodDisruptionBudget/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
334
- '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
335
- '[PodDisruptionBudget/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
336
- '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
337
- '[PodDisruptionBudget/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
338
- '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
339
- '[PodDisruptionBudget/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
340
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}]'
341
- '[Service/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}]'
342
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}-metrics]'
343
- '[Service/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}-metrics]'
344
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-metrics]'
345
- '[Service/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-metrics]'
346
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
347
- '[Service/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
348
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-metrics]'
349
- '[Service/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-metrics]'
350
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-metrics]'
351
- '[Service/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-metrics]'
352
- '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.admission-controller.name" . }}]'
353
- '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.background-controller.name" . }}]'
354
- '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.cleanup-controller.name" . }}]'
355
- '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.reports-controller.name" . }}]'
356
- '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.*]'
357
- '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.*]'
358
# -- Sets the threshold for the total number of UpdateRequests generated for mutateExisitng and generate policies.
359
updateRequestThreshold: 1000
360
# -- Defines the `namespaceSelector`/`objectSelector` in the webhook configurations.
361
# The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default)
362
webhooks:
363
# Exclude namespaces
364
namespaceSelector:
365
matchExpressions:
366
- key: kubernetes.io/metadata.name
367
operator: NotIn
368
values:
369
- kube-system
370
# Exclude objects
371
# objectSelector:
372
# matchExpressions:
373
# - key: webhooks.kyverno.io/exclude
374
# operator: DoesNotExist
375
# -- Defines annotations to set on webhook configurations.
376
webhookAnnotations:
377
# Example to disable admission enforcer on AKS:
378
'admissions.enforcer/disabled': 'true'
379
# -- Defines labels to set on webhook configurations.
380
webhookLabels: {}
381
# Example to adopt webhook resources in ArgoCD:
382
# 'argocd.argoproj.io/instance': 'kyverno'
383
384
# -- Defines match conditions to set on webhook configurations (requires Kubernetes 1.27+).
385
matchConditions: []
386
# -- Exclude Kyverno namespace
387
# Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters
388
excludeKyvernoNamespace: true
389
# -- resourceFilter namespace exclude
390
# Namespaces to exclude from the default resourceFilters
391
resourceFiltersExcludeNamespaces: []
392
# -- resourceFilters exclude list
393
# Items to exclude from config.resourceFilters
394
resourceFiltersExclude: []
395
# -- resourceFilter namespace include
396
# Namespaces to include to the default resourceFilters
397
resourceFiltersIncludeNamespaces: []
398
# -- resourceFilters include list
399
# Items to include to config.resourceFilters
400
resourceFiltersInclude: []
401
# Metrics configuration
402
metricsConfig:
403
# -- Create the configmap.
404
create: true
405
# -- (string) The configmap name (required if `create` is `false`).
406
name: ~
407
# -- Additional annotations to add to the configmap.
408
annotations: {}
409
namespaces:
410
# -- List of namespaces to capture metrics for.
411
include: []
412
# -- list of namespaces to NOT capture metrics for.
413
exclude: []
414
# -- (string) Rate at which metrics should reset so as to clean up the memory footprint of kyverno metrics, if you might be expecting high memory footprint of Kyverno's metrics. Default: 0, no refresh of metrics. WARNING: This flag is not working since Kyverno 1.8.0
415
metricsRefreshInterval: ~
416
# metricsRefreshInterval: 24h
417
418
# -- (list) Configures the bucket boundaries for all Histogram metrics, changing this configuration requires restart of the kyverno admission controller
419
bucketBoundaries: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10, 15, 20, 25, 30]
420
# -- (map) Configures the exposure of individual metrics, by default all metrics and all labels are exported, changing this configuration requires restart of the kyverno admission controller
421
metricsExposure:
422
kyverno_policy_execution_duration_seconds:
423
# bucketBoundaries: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5]
424
disabledLabelDimensions: ["resource_namespace", "resource_request_operation"]
425
kyverno_validating_policy_execution_duration_seconds:
426
# bucketBoundaries: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5]
427
disabledLabelDimensions: ["resource_namespace", "resource_request_operation"]
428
kyverno_image_validating_policy_execution_duration_seconds:
429
# bucketBoundaries: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5]
430
disabledLabelDimensions: ["resource_namespace", "resource_request_operation"]
431
kyverno_mutating_policy_execution_duration_seconds:
432
# bucketBoundaries: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5]
433
disabledLabelDimensions: ["resource_namespace", "resource_request_operation"]
434
kyverno_generating_policy_execution_duration_seconds:
435
# bucketBoundaries: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5]
436
disabledLabelDimensions: ["resource_namespace", "resource_request_operation"]
437
kyverno_admission_review_duration_seconds:
438
# enabled: false
439
disabledLabelDimensions: ["resource_namespace"]
440
kyverno_policy_rule_info_total:
441
disabledLabelDimensions: ["resource_namespace", "policy_namespace"]
442
kyverno_policy_results_total:
443
disabledLabelDimensions: ["resource_namespace", "policy_namespace"]
444
kyverno_admission_requests_total:
445
disabledLabelDimensions: ["resource_namespace"]
446
kyverno_cleanup_controller_deletedobjects_total:
447
disabledLabelDimensions: ["resource_namespace", "policy_namespace"]
448
# -- Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument
449
imagePullSecrets: {}
450
# regcred:
451
# registry: foo.example.com
452
# username: foobar
453
# password: secret
454
# regcred2:
455
# registry: bar.example.com
456
# username: barbaz
457
# password: secret2
458
459
# -- Existing Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument
460
existingImagePullSecrets: []
461
# - test-registry
462
# - other-test-registry
463
464
# Tests configuration
465
test:
466
# -- Sleep time before running test
467
sleep: 20
468
image:
469
# -- (string) Image registry
470
registry: cgr.dev
471
# -- Image repository
472
repository: chainguard-private/kyverno-readiness-checker
473
# -- Image tag
474
# Defaults to `latest` if omitted
475
tag: latest@sha256:f7fd92b4f64c70b8ff327b6377f02a23e57987c6271687fcee79f7a561b19441
476
# -- (string) Image pull policy
477
# Defaults to image.pullPolicy if omitted
478
pullPolicy: ~
479
# -- Image pull secrets
480
imagePullSecrets: []
481
# - name: secretName
482
483
resources:
484
# -- Pod resource limits
485
limits:
486
cpu: 100m
487
memory: 256Mi
488
# -- Pod resource requests
489
requests:
490
cpu: 10m
491
memory: 64Mi
492
# -- Security context for the test containers
493
securityContext:
494
runAsUser: 65534
495
runAsGroup: 65534
496
runAsNonRoot: true
497
privileged: false
498
allowPrivilegeEscalation: false
499
readOnlyRootFilesystem: true
500
capabilities:
501
drop:
502
- ALL
503
seccompProfile:
504
type: RuntimeDefault
505
# -- Toggle automounting of the ServiceAccount
506
automountServiceAccountToken: true
507
# -- Node labels for pod assignment
508
nodeSelector: {}
509
# -- Additional Pod annotations
510
podAnnotations: {}
511
# -- List of node taints to tolerate
512
tolerations: []
513
# -- Additional labels
514
customLabels: {}
515
webhooksCleanup:
516
# -- Create a helm pre-delete hook to cleanup webhooks.
517
enabled: true
518
autoDeleteWebhooks:
519
# -- Allow webhooks controller to delete webhooks using finalizers
520
enabled: false
521
image:
522
# -- (string) Image registry
523
registry: cgr.dev
524
# -- Image repository
525
repository: chainguard-private/kubectl
526
# -- Image tag
527
# Defaults to `latest` if omitted
528
tag: latest@sha256:f51a127d9e1cd1b687557167139ff23d81ce5362d8d58fff3d539d2bf9fd3612
529
# -- (string) Image pull policy
530
# Defaults to image.pullPolicy if omitted
531
pullPolicy: ~
532
# -- Image pull secrets
533
imagePullSecrets: []
534
# -- Security context for the pod
535
podSecurityContext: {}
536
# -- Node labels for pod assignment
537
nodeSelector: {}
538
# -- List of node taints to tolerate
539
tolerations: []
540
# -- Pod anti affinity constraints.
541
podAntiAffinity: {}
542
# -- Pod affinity constraints.
543
podAffinity: {}
544
# -- Pod labels.
545
podLabels: {}
546
# -- Pod annotations.
547
podAnnotations: {}
548
# -- Node affinity constraints.
549
nodeAffinity: {}
550
# -- Security context for the hook containers
551
securityContext:
552
runAsUser: 65534
553
runAsGroup: 65534
554
runAsNonRoot: true
555
privileged: false
556
allowPrivilegeEscalation: false
557
readOnlyRootFilesystem: true
558
capabilities:
559
drop:
560
- ALL
561
seccompProfile:
562
type: RuntimeDefault
563
resources:
564
# -- Pod resource limits
565
limits:
566
cpu: 100m
567
memory: 256Mi
568
# -- Pod resource requests
569
requests:
570
cpu: 10m
571
memory: 64Mi
572
serviceAccount:
573
# -- Toggle automounting of the ServiceAccount
574
automountServiceAccountToken: true
575
grafana:
576
# -- Enable grafana dashboard creation.
577
enabled: false
578
# -- Configmap name template.
579
configMapName: '{{ include "kyverno.fullname" . }}-grafana'
580
# -- (string) Namespace to create the grafana dashboard configmap.
581
# If not set, it will be created in the same namespace where the chart is deployed.
582
namespace: ~
583
# -- Grafana dashboard configmap annotations.
584
annotations: {}
585
# -- Grafana dashboard configmap labels
586
labels:
587
grafana_dashboard: "1"
588
# -- create GrafanaDashboard custom resource referencing to the configMap.
589
# according to https://grafana-operator.github.io/grafana-operator/docs/examples/dashboard_from_configmap/readme/
590
grafanaDashboard:
591
create: false
592
folder: kyverno
593
allowCrossNamespaceImport: true
594
matchLabels:
595
dashboards: "grafana"
596
# Features configuration
597
features:
598
admissionReports:
599
# -- Enables the feature
600
enabled: true
601
aggregateReports:
602
# -- Enables the feature
603
enabled: true
604
policyReports:
605
# -- Enables the feature
606
enabled: true
607
validatingAdmissionPolicyReports:
608
# -- Enables the feature
609
enabled: true
610
mutatingAdmissionPolicyReports:
611
# -- Enables the feature
612
enabled: false
613
reporting:
614
# -- Enables the feature
615
validate: true
616
# -- Enables the feature
617
mutate: true
618
# -- Enables the feature
619
mutateExisting: true
620
# -- Enables the feature
621
imageVerify: true
622
# -- Enables the feature
623
generate: true
624
autoUpdateWebhooks:
625
# -- Enables the feature
626
enabled: true
627
backgroundScan:
628
# -- Enables the feature
629
enabled: true
630
# -- Number of background scan workers
631
backgroundScanWorkers: 2
632
# -- Background scan interval
633
backgroundScanInterval: 1h
634
# -- Skips resource filters in background scan
635
skipResourceFilters: true
636
configMapCaching:
637
# -- Enables the feature
638
enabled: true
639
controllerRuntimeMetrics:
640
# -- Bind address for controller-runtime metrics (use "0" to disable it)
641
bindAddress: ":8080"
642
deferredLoading:
643
# -- Enables the feature
644
enabled: true
645
dumpPayload:
646
# -- Enables the feature
647
enabled: false
648
forceFailurePolicyIgnore:
649
# -- Enables the feature
650
enabled: false
651
generateValidatingAdmissionPolicy:
652
# -- Enables the feature
653
enabled: true
654
generateMutatingAdmissionPolicy:
655
# -- Enables the feature
656
enabled: false
657
dumpPatches:
658
# -- Enables the feature
659
enabled: false
660
globalContext:
661
# -- Maximum allowed response size from API Calls. A value of 0 bypasses checks (not recommended)
662
maxApiCallResponseLength: 2000000
663
logging:
664
# -- Logging format
665
format: text
666
# -- Logging verbosity
667
verbosity: 2
668
omitEvents:
669
# -- Events which should not be emitted (possible values `PolicyViolation`, `PolicyApplied`, `PolicyError`, and `PolicySkipped`)
670
eventTypes:
671
- PolicyApplied
672
- PolicySkipped
673
# - PolicyViolation
674
# - PolicyError
675
policyExceptions:
676
# -- Enables the feature
677
enabled: false
678
# -- Restrict policy exceptions to a single namespace
679
# Set to "*" to allow exceptions in all namespaces
680
namespace: ''
681
protectManagedResources:
682
# -- Enables the feature
683
enabled: false
684
registryClient:
685
# -- Allow insecure registry
686
allowInsecure: false
687
# -- Enable registry client helpers
688
credentialHelpers:
689
- default
690
- google
691
- amazon
692
- azure
693
- github
694
ttlController:
695
# -- Reconciliation interval for the label based cleanup manager
696
reconciliationInterval: 1m
697
tuf:
698
# -- Enables the feature
699
enabled: false
700
# -- (string) Path to Tuf root
701
root: ~
702
# -- (string) Raw Tuf root
703
rootRaw: ~
704
# -- (string) Tuf mirror
705
mirror: ~
706
# Admission controller configuration
707
admissionController:
708
autoscaling:
709
# -- Enable horizontal pod autoscaling
710
enabled: false
711
# -- Minimum number of pods
712
minReplicas: 1
713
# -- Maximum number of pods
714
maxReplicas: 10
715
# -- Target CPU utilization percentage
716
targetCPUUtilizationPercentage: 80
717
# -- Configurable scaling behavior
718
behavior: {}
719
# -- Overrides features defined at the root level
720
featuresOverride:
721
admissionReports:
722
# -- Max number of admission reports allowed in flight until the admission controller stops creating new ones
723
backPressureThreshold: 1000
724
rbac:
725
# -- Create RBAC resources
726
create: true
727
# -- Create rolebinding to view role
728
createViewRoleBinding: true
729
# -- The view role to use in the rolebinding
730
viewRoleName: view
731
serviceAccount:
732
# -- The ServiceAccount name
733
name:
734
# -- Annotations for the ServiceAccount
735
annotations: {}
736
# example.com/annotation: value
737
738
# -- Toggle automounting of the ServiceAccount
739
automountServiceAccountToken: true
740
coreClusterRole:
741
# -- Extra resource permissions to add in the core cluster role.
742
# This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`.
743
# @default -- See [values.yaml](values.yaml)
744
extraResources: []
745
clusterRole:
746
# -- Extra resource permissions to add in the cluster role
747
extraResources: []
748
# - apiGroups:
749
# - ''
750
# resources:
751
# - pods
752
# verbs:
753
# - create
754
# - update
755
# - delete
756
# -- Create self-signed certificates at deployment time.
757
# The certificates won't be automatically renewed if this is set to `true`.
758
createSelfSignedCert: false
759
# -- Key algorithm for self-signed TLS certificates.
760
# Supported values: RSA, ECDSA, Ed25519
761
# Only used when createSelfSignedCert is false (Kyverno-managed certificates).
762
tlsKeyAlgorithm: RSA
763
# -- Configure cert-manager to manage TLS certificates.
764
# When enabled, cert-manager Certificate resources will be created to provision
765
# the TLS certificates for the admission controller.
766
# Requires cert-manager to be installed in the cluster.
767
# Takes precedence over createSelfSignedCert when enabled.
768
certManager:
769
# -- Enable cert-manager integration for certificate management
770
enabled: false
771
# -- Create a self-signed ClusterIssuer for CA generation.
772
# Set to false if you want to use an existing issuer specified in issuerRef.
773
createSelfSignedIssuer: true
774
# -- Reference to an existing issuer for signing CA certificates.
775
# Only used when createSelfSignedIssuer is false.
776
issuerRef:
777
# -- Name of the issuer
778
name: ""
779
# -- Kind of the issuer (ClusterIssuer or Issuer)
780
kind: ClusterIssuer
781
# -- Group of the issuer
782
group: cert-manager.io
783
# -- Key algorithm for certificates (RSA, ECDSA, Ed25519)
784
algorithm: RSA
785
# -- Key size for RSA (2048, 4096) or ECDSA (256, 384).
786
# Ignored for Ed25519.
787
size: 2048
788
# -- CA certificate configuration
789
ca:
790
# -- Duration of the CA certificate (default 10 years)
791
duration: 87600h
792
# -- Time before expiry to renew the CA certificate (default 30 days)
793
renewBefore: 720h
794
# -- TLS certificate configuration
795
tls:
796
# -- Duration of the TLS certificate (default 1 year)
797
duration: 8760h
798
# -- Time before expiry to renew the TLS certificate (default 30 days)
799
renewBefore: 720h
800
# -- (int) Desired number of pods
801
replicas: ~
802
# -- The number of revisions to keep
803
revisionHistoryLimit: 10
804
# -- Resync period for informers
805
resyncPeriod: 15m
806
# -- Enable/Disable custom resource watcher to invalidate cache
807
crdWatcher: false
808
# -- Additional labels to add to each pod
809
podLabels: {}
810
# example.com/label: foo
811
812
# -- Additional annotations to add to each pod
813
podAnnotations: {}
814
# example.com/annotation: foo
815
816
# -- Deployment annotations.
817
annotations: {}
818
# -- Deployment update strategy.
819
# Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
820
# @default -- See [values.yaml](values.yaml)
821
updateStrategy:
822
rollingUpdate:
823
maxSurge: 1
824
maxUnavailable: 40%
825
type: RollingUpdate
826
# -- Optional priority class
827
priorityClassName: ''
828
# -- Change `apiPriorityAndFairness` to `true` if you want to insulate the API calls made by Kyverno admission controller activities.
829
# This will help ensure Kyverno stability in busy clusters.
830
# Ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/
831
apiPriorityAndFairness: false
832
# -- Priority level configuration.
833
# The block is directly forwarded into the priorityLevelConfiguration, so you can use whatever specification you want.
834
# ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/#prioritylevelconfiguration
835
# @default -- See [values.yaml](values.yaml)
836
priorityLevelConfigurationSpec:
837
type: Limited
838
limited:
839
nominalConcurrencyShares: 10
840
limitResponse:
841
queuing:
842
queueLengthLimit: 50
843
type: Queue
844
# -- Change `hostNetwork` to `true` when you want the pod to share its host's network namespace.
845
# Useful for situations like when you end up dealing with a custom CNI over Amazon EKS.
846
# Update the `dnsPolicy` accordingly as well to suit the host network mode.
847
hostNetwork: false
848
# -- admissionController webhook server port
849
# in case you are using hostNetwork: true, you might want to change the port the webhookServer is listening to
850
webhookServer:
851
port: 9443
852
# -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster.
853
# In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`.
854
# For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
855
dnsPolicy: ClusterFirst
856
# -- `dnsConfig` allows to specify DNS configuration for the pod.
857
# For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config.
858
dnsConfig: {}
859
# options:
860
# - name: ndots
861
# value: "2"
862
863
# -- Startup probe.
864
# The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want.
865
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
866
# @default -- See [values.yaml](values.yaml)
867
startupProbe:
868
httpGet:
869
path: /health/liveness
870
port: 9443
871
scheme: HTTPS
872
failureThreshold: 20
873
initialDelaySeconds: 2
874
periodSeconds: 6
875
# -- Liveness probe.
876
# The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want.
877
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
878
# @default -- See [values.yaml](values.yaml)
879
livenessProbe:
880
httpGet:
881
path: /health/liveness
882
port: 9443
883
scheme: HTTPS
884
initialDelaySeconds: 15
885
periodSeconds: 30
886
timeoutSeconds: 5
887
failureThreshold: 2
888
successThreshold: 1
889
# -- Readiness Probe.
890
# The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want.
891
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
892
# @default -- See [values.yaml](values.yaml)
893
readinessProbe:
894
httpGet:
895
path: /health/readiness
896
port: 9443
897
scheme: HTTPS
898
initialDelaySeconds: 5
899
periodSeconds: 10
900
timeoutSeconds: 5
901
failureThreshold: 6
902
successThreshold: 1
903
# -- Node labels for pod assignment
904
nodeSelector:
905
kubernetes.io/os: linux
906
# -- List of node taints to tolerate
907
tolerations: []
908
antiAffinity:
909
# -- Pod antiAffinities toggle.
910
# Enabled by default but can be disabled if you want to schedule pods to the same node.
911
enabled: true
912
# -- Pod anti affinity constraints.
913
# @default -- See [values.yaml](values.yaml)
914
podAntiAffinity:
915
preferredDuringSchedulingIgnoredDuringExecution:
916
- weight: 1
917
podAffinityTerm:
918
labelSelector:
919
matchExpressions:
920
- key: app.kubernetes.io/component
921
operator: In
922
values:
923
- admission-controller
924
topologyKey: kubernetes.io/hostname
925
# -- Pod affinity constraints.
926
podAffinity: {}
927
# -- Node affinity constraints.
928
nodeAffinity: {}
929
# -- Topology spread constraints.
930
topologySpreadConstraints: []
931
# -- Security context for the pod
932
podSecurityContext: {}
933
podDisruptionBudget:
934
# -- Enable PodDisruptionBudget.
935
# Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.
936
enabled: false
937
# -- Configures the minimum available pods for disruptions.
938
# Cannot be used if `maxUnavailable` is set.
939
minAvailable: 1
940
# -- Configures the maximum unavailable pods for disruptions.
941
# Cannot be used if `minAvailable` is set.
942
maxUnavailable:
943
# -- Unhealthy pod eviction policy to be used.
944
# Possible values are `IfHealthyBudget` or `AlwaysAllow`.
945
unhealthyPodEvictionPolicy:
946
# -- A writable volume to use for the TUF root initialization.
947
tufRootMountPath: /.sigstore
948
# -- Volume to be mounted in pods for TUF/cosign work.
949
sigstoreVolume:
950
emptyDir: {}
951
caCertificates:
952
# -- CA certificates to use with Kyverno deployments
953
# This value is expected to be one large string of CA certificates
954
data: ~
955
# -- Volume to be mounted for CA certificates
956
# Not used when `.Values.admissionController.caCertificates.data` is defined
957
volume: {}
958
# Example to use hostPath:
959
# hostPath:
960
# path: /etc/pki/tls/ca-certificates.crt
961
# type: File
962
# -- Image pull secrets
963
imagePullSecrets: []
964
# - secretName
965
966
initContainer:
967
image:
968
# -- Image registry
969
registry: cgr.dev
970
defaultRegistry: reg.kyverno.io
971
# -- Image repository
972
repository: chainguard-private/kyvernopre
973
# -- (string) Image tag
974
# If missing, defaults to image.tag
975
tag: latest@sha256:73c5661395d1d610f4e1fe7e400c966c0d6d3ca9f4ecc339338210c16a4b355d
976
# -- (string) Image pull policy
977
# If missing, defaults to image.pullPolicy
978
pullPolicy: ~
979
resources:
980
# -- Pod resource limits
981
limits:
982
cpu: 100m
983
memory: 256Mi
984
# -- Pod resource requests
985
requests:
986
cpu: 10m
987
memory: 64Mi
988
# -- Container security context
989
securityContext:
990
runAsNonRoot: true
991
privileged: false
992
allowPrivilegeEscalation: false
993
readOnlyRootFilesystem: true
994
capabilities:
995
drop:
996
- ALL
997
seccompProfile:
998
type: RuntimeDefault
999
# -- Additional container args.
1000
extraArgs: {}
1001
# -- Additional container environment variables.
1002
extraEnvVars: []
1003
# Example setting proxy
1004
# extraEnvVars:
1005
# - name: HTTPS_PROXY
1006
# value: 'https://proxy.example.com:3128'
1007
container:
1008
image:
1009
# -- Image registry
1010
registry: cgr.dev
1011
defaultRegistry: reg.kyverno.io
1012
# -- Image repository
1013
repository: chainguard-private/kyverno
1014
# -- (string) Image tag
1015
# Defaults to appVersion in Chart.yaml if omitted
1016
tag: latest@sha256:32b7a1026067d149bc3136d69439c054b460aa23705feb088271ec2b11e0f805
1017
# -- Image pull policy
1018
pullPolicy: IfNotPresent
1019
resources:
1020
# -- Pod resource limits
1021
limits:
1022
memory: 384Mi
1023
# -- Pod resource requests
1024
requests:
1025
cpu: 100m
1026
memory: 128Mi
1027
# -- Container security context
1028
securityContext:
1029
runAsNonRoot: true
1030
privileged: false
1031
allowPrivilegeEscalation: false
1032
readOnlyRootFilesystem: true
1033
capabilities:
1034
drop:
1035
- ALL
1036
seccompProfile:
1037
type: RuntimeDefault
1038
# -- Additional container args.
1039
extraArgs: {}
1040
# -- Additional container environment variables.
1041
extraEnvVars: []
1042
# Example setting proxy
1043
# extraEnvVars:
1044
# - name: HTTPS_PROXY
1045
# value: 'https://proxy.example.com:3128'
1046
# -- Array of extra init containers
1047
extraInitContainers: []
1048
# - name: init-container
1049
# image: busybox
1050
# command: ['sh', '-c', 'echo Hello']
1051
1052
# -- Array of extra containers to run alongside kyverno
1053
extraContainers: []
1054
# - name: myapp-container
1055
# image: busybox
1056
# command: ['sh', '-c', 'echo Hello && sleep 3600']
1057
1058
service:
1059
# -- Service port.
1060
port: 443
1061
# -- Service type.
1062
type: ClusterIP
1063
# -- Service node port.
1064
# Only used if `type` is `NodePort`.
1065
nodePort:
1066
# -- Service annotations.
1067
annotations: {}
1068
# -- (string) Service traffic distribution policy.
1069
# Set to `PreferClose` to route traffic to nearby endpoints, reducing latency and cross-zone costs.
1070
trafficDistribution: ~
1071
metricsService:
1072
# -- Create service.
1073
create: true
1074
# -- Service port.
1075
# Kyverno's metrics server will be exposed at this port.
1076
port: 8000
1077
# -- Service type.
1078
type: ClusterIP
1079
# -- Service node port.
1080
# Only used if `type` is `NodePort`.
1081
nodePort:
1082
# -- Service annotations.
1083
annotations: {}
1084
# -- (string) Service traffic distribution policy.
1085
# Set to `PreferClose` to route traffic to nearby endpoints, reducing latency and cross-zone costs.
1086
trafficDistribution: ~
1087
networkPolicy:
1088
# -- When true, use a NetworkPolicy to allow ingress to the webhook
1089
# This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
1090
enabled: false
1091
# -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
1092
ingressFrom: []
1093
serviceMonitor:
1094
# -- Create a `ServiceMonitor` to collect Prometheus metrics.
1095
enabled: false
1096
# -- Additional annotations
1097
additionalAnnotations: {}
1098
# -- Additional labels
1099
additionalLabels: {}
1100
# -- (string) Override namespace
1101
namespace: ~
1102
# -- Interval to scrape metrics
1103
interval: 30s
1104
# -- Timeout if metrics can't be retrieved in given time interval
1105
scrapeTimeout: 25s
1106
# -- Is TLS required for endpoint
1107
secure: false
1108
# -- TLS Configuration for endpoint
1109
tlsConfig: {}
1110
# -- RelabelConfigs to apply to samples before scraping
1111
relabelings: []
1112
# -- MetricRelabelConfigs to apply to samples before ingestion.
1113
metricRelabelings: []
1114
tracing:
1115
# -- Enable tracing
1116
enabled: false
1117
# -- Traces receiver address
1118
address:
1119
# -- Traces receiver port
1120
port:
1121
# -- Traces receiver credentials
1122
creds: ''
1123
metering:
1124
# -- Disable metrics export
1125
disabled: false
1126
# -- Otel configuration, can be `prometheus` or `grpc`
1127
config: prometheus
1128
# -- Prometheus endpoint port
1129
port: 8000
1130
# -- Otel collector endpoint
1131
collector: ''
1132
# -- Otel collector credentials
1133
creds: ''
1134
profiling:
1135
# -- Enable profiling
1136
enabled: false
1137
# -- Profiling endpoint port
1138
port: 6060
1139
# -- Service type.
1140
serviceType: ClusterIP
1141
# -- Service node port.
1142
# Only used if `type` is `NodePort`.
1143
nodePort:
1144
# Background controller configuration
1145
backgroundController:
1146
# -- Overrides features defined at the root level
1147
featuresOverride: {}
1148
# -- Enable background controller.
1149
enabled: true
1150
rbac:
1151
# -- Create RBAC resources
1152
create: true
1153
# -- Create rolebinding to view role
1154
createViewRoleBinding: true
1155
# -- The view role to use in the rolebinding
1156
viewRoleName: view
1157
serviceAccount:
1158
# -- Service account name
1159
name:
1160
# -- Annotations for the ServiceAccount
1161
annotations: {}
1162
# example.com/annotation: value
1163
1164
# -- Toggle automounting of the ServiceAccount
1165
automountServiceAccountToken: true
1166
coreClusterRole:
1167
# -- Extra resource permissions to add in the core cluster role.
1168
# This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`.
1169
# @default -- See [values.yaml](values.yaml)
1170
extraResources:
1171
- apiGroups:
1172
- networking.k8s.io
1173
resources:
1174
- ingresses
1175
- ingressclasses
1176
- networkpolicies
1177
verbs:
1178
- create
1179
- update
1180
- patch
1181
- delete
1182
- apiGroups:
1183
- rbac.authorization.k8s.io
1184
resources:
1185
- rolebindings
1186
- roles
1187
verbs:
1188
- create
1189
- update
1190
- patch
1191
- delete
1192
- apiGroups:
1193
- ''
1194
resources:
1195
- configmaps
1196
- resourcequotas
1197
- limitranges
1198
verbs:
1199
- create
1200
- update
1201
- patch
1202
- delete
1203
- apiGroups:
1204
- resource.k8s.io
1205
resources:
1206
- resourceclaims
1207
- resourceclaimtemplates
1208
verbs:
1209
- create
1210
- delete
1211
- update
1212
- patch
1213
- deletecollection
1214
clusterRole:
1215
# -- Extra resource permissions to add in the cluster role
1216
extraResources: []
1217
# - apiGroups:
1218
# - ''
1219
# resources:
1220
# - pods
1221
# verbs:
1222
# - create
1223
# - update
1224
# - delete
1225
# - patch
1226
image:
1227
# -- Image registry
1228
registry: cgr.dev
1229
defaultRegistry: reg.kyverno.io
1230
# -- Image repository
1231
repository: chainguard-private/kyverno-background-controller
1232
# -- Image tag
1233
# Defaults to appVersion in Chart.yaml if omitted
1234
tag: latest@sha256:f3b9109e9edb332250bfcea75273f98789d5fc07cf4801fab4ad71cd78ec5b80
1235
# -- Image pull policy
1236
pullPolicy: IfNotPresent
1237
# -- Image pull secrets
1238
imagePullSecrets: []
1239
# - secretName
1240
1241
# -- (int) Desired number of pods
1242
replicas: ~
1243
# -- The number of revisions to keep
1244
revisionHistoryLimit: 10
1245
# -- Resync period for informers
1246
resyncPeriod: 15m
1247
# -- Additional labels to add to each pod
1248
podLabels: {}
1249
# example.com/label: foo
1250
1251
# -- Additional annotations to add to each pod
1252
podAnnotations: {}
1253
# example.com/annotation: foo
1254
1255
# -- Deployment annotations.
1256
annotations: {}
1257
# -- Deployment update strategy.
1258
# Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
1259
# @default -- See [values.yaml](values.yaml)
1260
updateStrategy:
1261
rollingUpdate:
1262
maxSurge: 1
1263
maxUnavailable: 40%
1264
type: RollingUpdate
1265
# -- Optional priority class
1266
priorityClassName: ''
1267
# -- Change `hostNetwork` to `true` when you want the pod to share its host's network namespace.
1268
# Useful for situations like when you end up dealing with a custom CNI over Amazon EKS.
1269
# Update the `dnsPolicy` accordingly as well to suit the host network mode.
1270
hostNetwork: false
1271
# -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster.
1272
# In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`.
1273
# For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
1274
dnsPolicy: ClusterFirst
1275
# -- `dnsConfig` allows to specify DNS configuration for the pod.
1276
# For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config.
1277
dnsConfig: {}
1278
# options:
1279
# - name: ndots
1280
# value: "2"
1281
1282
# -- Extra arguments passed to the container on the command line
1283
extraArgs: {}
1284
# -- Additional container environment variables.
1285
extraEnvVars: []
1286
# Example setting proxy
1287
# extraEnvVars:
1288
# - name: HTTPS_PROXY
1289
# value: 'https://proxy.example.com:3128'
1290
1291
resources:
1292
# -- Pod resource limits
1293
limits:
1294
memory: 128Mi
1295
# -- Pod resource requests
1296
requests:
1297
cpu: 100m
1298
memory: 64Mi
1299
# -- Node labels for pod assignment
1300
nodeSelector:
1301
kubernetes.io/os: linux
1302
# -- List of node taints to tolerate
1303
tolerations: []
1304
antiAffinity:
1305
# -- Pod antiAffinities toggle.
1306
# Enabled by default but can be disabled if you want to schedule pods to the same node.
1307
enabled: true
1308
# -- Pod anti affinity constraints.
1309
# @default -- See [values.yaml](values.yaml)
1310
podAntiAffinity:
1311
preferredDuringSchedulingIgnoredDuringExecution:
1312
- weight: 1
1313
podAffinityTerm:
1314
labelSelector:
1315
matchExpressions:
1316
- key: app.kubernetes.io/component
1317
operator: In
1318
values:
1319
- background-controller
1320
topologyKey: kubernetes.io/hostname
1321
# -- Pod affinity constraints.
1322
podAffinity: {}
1323
# -- Node affinity constraints.
1324
nodeAffinity: {}
1325
# -- Topology spread constraints.
1326
topologySpreadConstraints: []
1327
# -- Security context for the pod
1328
podSecurityContext: {}
1329
# -- Security context for the containers
1330
securityContext:
1331
runAsNonRoot: true
1332
privileged: false
1333
allowPrivilegeEscalation: false
1334
readOnlyRootFilesystem: true
1335
capabilities:
1336
drop:
1337
- ALL
1338
seccompProfile:
1339
type: RuntimeDefault
1340
podDisruptionBudget:
1341
# -- Enable PodDisruptionBudget.
1342
# Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.
1343
enabled: false
1344
# -- Configures the minimum available pods for disruptions.
1345
# Cannot be used if `maxUnavailable` is set.
1346
minAvailable: 1
1347
# -- Configures the maximum unavailable pods for disruptions.
1348
# Cannot be used if `minAvailable` is set.
1349
maxUnavailable:
1350
# -- Unhealthy pod eviction policy to be used.
1351
# Possible values are `IfHealthyBudget` or `AlwaysAllow`.
1352
unhealthyPodEvictionPolicy:
1353
caCertificates:
1354
# -- CA certificates to use with Kyverno deployments
1355
# This value is expected to be one large string of CA certificates
1356
data: ~
1357
# -- Volume to be mounted for CA certificates
1358
# Not used when `.Values.backgroundController.caCertificates.data` is defined
1359
volume: {}
1360
# Example to use hostPath:
1361
# hostPath:
1362
# path: /etc/pki/tls/ca-certificates.crt
1363
# type: File
1364
metricsService:
1365
# -- Create service.
1366
create: true
1367
# -- Service port.
1368
# Metrics server will be exposed at this port.
1369
port: 8000
1370
# -- Service type.
1371
type: ClusterIP
1372
# -- Service node port.
1373
# Only used if `metricsService.type` is `NodePort`.
1374
nodePort:
1375
# -- Service annotations.
1376
annotations: {}
1377
# -- (string) Service traffic distribution policy.
1378
# Set to `PreferClose` to route traffic to nearby endpoints, reducing latency and cross-zone costs.
1379
trafficDistribution: ~
1380
networkPolicy:
1381
# -- When true, use a NetworkPolicy to allow ingress to the webhook
1382
# This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
1383
enabled: false
1384
# -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
1385
ingressFrom: []
1386
serviceMonitor:
1387
# -- Create a `ServiceMonitor` to collect Prometheus metrics.
1388
enabled: false
1389
# -- Additional annotations
1390
additionalAnnotations: {}
1391
# -- Additional labels
1392
additionalLabels: {}
1393
# -- (string) Override namespace
1394
namespace: ~
1395
# -- Interval to scrape metrics
1396
interval: 30s
1397
# -- Timeout if metrics can't be retrieved in given time interval
1398
scrapeTimeout: 25s
1399
# -- Is TLS required for endpoint
1400
secure: false
1401
# -- TLS Configuration for endpoint
1402
tlsConfig: {}
1403
# -- RelabelConfigs to apply to samples before scraping
1404
relabelings: []
1405
# -- MetricRelabelConfigs to apply to samples before ingestion.
1406
metricRelabelings: []
1407
tracing:
1408
# -- Enable tracing
1409
enabled: false
1410
# -- Traces receiver address
1411
address:
1412
# -- Traces receiver port
1413
port:
1414
# -- Traces receiver credentials
1415
creds: ''
1416
metering:
1417
# -- Disable metrics export
1418
disabled: false
1419
# -- Otel configuration, can be `prometheus` or `grpc`
1420
config: prometheus
1421
# -- Prometheus endpoint port
1422
port: 8000
1423
# -- Otel collector endpoint
1424
collector: ''
1425
# -- Otel collector credentials
1426
creds: ''
1427
# -- backgroundController server port
1428
# in case you are using hostNetwork: true, you might want to change the port the backgroundController is listening to
1429
server:
1430
port: 9443
1431
profiling:
1432
# -- Enable profiling
1433
enabled: false
1434
# -- Profiling endpoint port
1435
port: 6060
1436
# -- Service type.
1437
serviceType: ClusterIP
1438
# -- Service node port.
1439
# Only used if `type` is `NodePort`.
1440
nodePort:
1441
# Cleanup controller configuration
1442
cleanupController:
1443
# -- Overrides features defined at the root level
1444
featuresOverride: {}
1445
# -- Enable cleanup controller.
1446
enabled: true
1447
rbac:
1448
# -- Create RBAC resources
1449
create: true
1450
serviceAccount:
1451
# -- Service account name
1452
name:
1453
# -- Annotations for the ServiceAccount
1454
annotations: {}
1455
# example.com/annotation: value
1456
1457
# -- Toggle automounting of the ServiceAccount
1458
automountServiceAccountToken: true
1459
clusterRole:
1460
# -- Extra resource permissions to add in the cluster role
1461
extraResources: []
1462
# - apiGroups:
1463
# - ''
1464
# resources:
1465
# - pods
1466
# verbs:
1467
# - delete
1468
# - list
1469
# - watch
1470
# -- Create self-signed certificates at deployment time.
1471
# The certificates won't be automatically renewed if this is set to `true`.
1472
createSelfSignedCert: false
1473
# -- Key algorithm for self-signed TLS certificates.
1474
# Supported values: RSA, ECDSA, Ed25519
1475
# Only used when createSelfSignedCert is false (Kyverno-managed certificates).
1476
tlsKeyAlgorithm: RSA
1477
# -- Configure cert-manager to manage TLS certificates.
1478
# When enabled, cert-manager Certificate resources will be created to provision
1479
# the TLS certificates for the cleanup controller.
1480
# Requires cert-manager to be installed in the cluster.
1481
# Takes precedence over createSelfSignedCert when enabled.
1482
certManager:
1483
# -- Enable cert-manager integration for certificate management
1484
enabled: false
1485
# -- Create a self-signed ClusterIssuer for CA generation.
1486
# Set to false if you want to use an existing issuer specified in issuerRef.
1487
createSelfSignedIssuer: true
1488
# -- Reference to an existing issuer for signing CA certificates.
1489
# Only used when createSelfSignedIssuer is false.
1490
issuerRef:
1491
# -- Name of the issuer
1492
name: ""
1493
# -- Kind of the issuer (ClusterIssuer or Issuer)
1494
kind: ClusterIssuer
1495
# -- Group of the issuer
1496
group: cert-manager.io
1497
# -- Key algorithm for certificates (RSA, ECDSA, Ed25519)
1498
algorithm: RSA
1499
# -- Key size for RSA (2048, 4096) or ECDSA (256, 384).
1500
# Ignored for Ed25519.
1501
size: 2048
1502
# -- CA certificate configuration
1503
ca:
1504
# -- Duration of the CA certificate (default 10 years)
1505
duration: 87600h
1506
# -- Time before expiry to renew the CA certificate (default 30 days)
1507
renewBefore: 720h
1508
# -- TLS certificate configuration
1509
tls:
1510
# -- Duration of the TLS certificate (default 1 year)
1511
duration: 8760h
1512
# -- Time before expiry to renew the TLS certificate (default 30 days)
1513
renewBefore: 720h
1514
image:
1515
# -- Image registry
1516
registry: cgr.dev
1517
defaultRegistry: reg.kyverno.io
1518
# -- Image repository
1519
repository: chainguard-private/kyverno-cleanup-controller
1520
# -- (string) Image tag
1521
# Defaults to appVersion in Chart.yaml if omitted
1522
tag: latest@sha256:d5609de492060dd40e439aaca32b7396221b328d60f39f044d9cb57f49f82476
1523
# -- Image pull policy
1524
pullPolicy: IfNotPresent
1525
# -- Image pull secrets
1526
imagePullSecrets: []
1527
# - secretName
1528
1529
# -- (int) Desired number of pods
1530
replicas: ~
1531
# -- The number of revisions to keep
1532
revisionHistoryLimit: 10
1533
# -- Resync period for informers
1534
resyncPeriod: 15m
1535
# -- Additional labels to add to each pod
1536
podLabels: {}
1537
# example.com/label: foo
1538
1539
# -- Additional annotations to add to each pod
1540
podAnnotations: {}
1541
# example.com/annotation: foo
1542
1543
# -- Deployment annotations.
1544
annotations: {}
1545
# -- Deployment update strategy.
1546
# Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
1547
# @default -- See [values.yaml](values.yaml)
1548
updateStrategy:
1549
rollingUpdate:
1550
maxSurge: 1
1551
maxUnavailable: 40%
1552
type: RollingUpdate
1553
# -- Optional priority class
1554
priorityClassName: ''
1555
# -- Change `hostNetwork` to `true` when you want the pod to share its host's network namespace.
1556
# Useful for situations like when you end up dealing with a custom CNI over Amazon EKS.
1557
# Update the `dnsPolicy` accordingly as well to suit the host network mode.
1558
hostNetwork: false
1559
# -- cleanupController server port
1560
# in case you are using hostNetwork: true, you might want to change the port the cleanupController is listening to
1561
server:
1562
port: 9443
1563
# -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster.
1564
# In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`.
1565
# For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
1566
dnsPolicy: ClusterFirst
1567
# -- `dnsConfig` allows to specify DNS configuration for the pod.
1568
# For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config.
1569
dnsConfig: {}
1570
# options:
1571
# - name: ndots
1572
# value: "2"
1573
1574
# -- Extra arguments passed to the container on the command line
1575
extraArgs: {}
1576
# -- Additional container environment variables.
1577
extraEnvVars: []
1578
# Example setting proxy
1579
# extraEnvVars:
1580
# - name: HTTPS_PROXY
1581
# value: 'https://proxy.example.com:3128'
1582
1583
resources:
1584
# -- Pod resource limits
1585
limits:
1586
memory: 128Mi
1587
# -- Pod resource requests
1588
requests:
1589
cpu: 100m
1590
memory: 64Mi
1591
# -- Startup probe.
1592
# The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want.
1593
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
1594
# @default -- See [values.yaml](values.yaml)
1595
startupProbe:
1596
httpGet:
1597
path: /health/liveness
1598
port: 9443
1599
scheme: HTTPS
1600
failureThreshold: 20
1601
initialDelaySeconds: 2
1602
periodSeconds: 6
1603
# -- Liveness probe.
1604
# The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want.
1605
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
1606
# @default -- See [values.yaml](values.yaml)
1607
livenessProbe:
1608
httpGet:
1609
path: /health/liveness
1610
port: 9443
1611
scheme: HTTPS
1612
initialDelaySeconds: 15
1613
periodSeconds: 30
1614
timeoutSeconds: 5
1615
failureThreshold: 2
1616
successThreshold: 1
1617
# -- Readiness Probe.
1618
# The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want.
1619
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
1620
# @default -- See [values.yaml](values.yaml)
1621
readinessProbe:
1622
httpGet:
1623
path: /health/readiness
1624
port: 9443
1625
scheme: HTTPS
1626
initialDelaySeconds: 5
1627
periodSeconds: 10
1628
timeoutSeconds: 5
1629
failureThreshold: 6
1630
successThreshold: 1
1631
# -- Node labels for pod assignment
1632
nodeSelector:
1633
kubernetes.io/os: linux
1634
# -- List of node taints to tolerate
1635
tolerations: []
1636
antiAffinity:
1637
# -- Pod antiAffinities toggle.
1638
# Enabled by default but can be disabled if you want to schedule pods to the same node.
1639
enabled: true
1640
# -- Pod anti affinity constraints.
1641
# @default -- See [values.yaml](values.yaml)
1642
podAntiAffinity:
1643
preferredDuringSchedulingIgnoredDuringExecution:
1644
- weight: 1
1645
podAffinityTerm:
1646
labelSelector:
1647
matchExpressions:
1648
- key: app.kubernetes.io/component
1649
operator: In
1650
values:
1651
- cleanup-controller
1652
topologyKey: kubernetes.io/hostname
1653
# -- Pod affinity constraints.
1654
podAffinity: {}
1655
# -- Node affinity constraints.
1656
nodeAffinity: {}
1657
# -- Topology spread constraints.
1658
topologySpreadConstraints: []
1659
# -- Security context for the pod
1660
podSecurityContext: {}
1661
# -- Security context for the containers
1662
securityContext:
1663
runAsNonRoot: true
1664
privileged: false
1665
allowPrivilegeEscalation: false
1666
readOnlyRootFilesystem: true
1667
capabilities:
1668
drop:
1669
- ALL
1670
seccompProfile:
1671
type: RuntimeDefault
1672
podDisruptionBudget:
1673
# -- Enable PodDisruptionBudget.
1674
# Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.
1675
enabled: false
1676
# -- Configures the minimum available pods for disruptions.
1677
# Cannot be used if `maxUnavailable` is set.
1678
minAvailable: 1
1679
# -- Configures the maximum unavailable pods for disruptions.
1680
# Cannot be used if `minAvailable` is set.
1681
maxUnavailable:
1682
# -- Unhealthy pod eviction policy to be used.
1683
# Possible values are `IfHealthyBudget` or `AlwaysAllow`.
1684
unhealthyPodEvictionPolicy:
1685
service:
1686
# -- Service port.
1687
port: 443
1688
# -- Service type.
1689
type: ClusterIP
1690
# -- Service node port.
1691
# Only used if `service.type` is `NodePort`.
1692
nodePort:
1693
# -- Service annotations.
1694
annotations: {}
1695
# -- (string) Service traffic distribution policy.
1696
# Set to `PreferClose` to route traffic to nearby endpoints, reducing latency and cross-zone costs.
1697
trafficDistribution: ~
1698
metricsService:
1699
# -- Create service.
1700
create: true
1701
# -- Service port.
1702
# Metrics server will be exposed at this port.
1703
port: 8000
1704
# -- Service type.
1705
type: ClusterIP
1706
# -- Service node port.
1707
# Only used if `metricsService.type` is `NodePort`.
1708
nodePort:
1709
# -- Service annotations.
1710
annotations: {}
1711
# -- (string) Service traffic distribution policy.
1712
# Set to `PreferClose` to route traffic to nearby endpoints, reducing latency and cross-zone costs.
1713
trafficDistribution: ~
1714
networkPolicy:
1715
# -- When true, use a NetworkPolicy to allow ingress to the webhook
1716
# This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
1717
enabled: false
1718
# -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
1719
ingressFrom: []
1720
serviceMonitor:
1721
# -- Create a `ServiceMonitor` to collect Prometheus metrics.
1722
enabled: false
1723
# -- Additional annotations
1724
additionalAnnotations: {}
1725
# -- Additional labels
1726
additionalLabels: {}
1727
# -- (string) Override namespace
1728
namespace: ~
1729
# -- Interval to scrape metrics
1730
interval: 30s
1731
# -- Timeout if metrics can't be retrieved in given time interval
1732
scrapeTimeout: 25s
1733
# -- Is TLS required for endpoint
1734
secure: false
1735
# -- TLS Configuration for endpoint
1736
tlsConfig: {}
1737
# -- RelabelConfigs to apply to samples before scraping
1738
relabelings: []
1739
# -- MetricRelabelConfigs to apply to samples before ingestion.
1740
metricRelabelings: []
1741
tracing:
1742
# -- Enable tracing
1743
enabled: false
1744
# -- Traces receiver address
1745
address:
1746
# -- Traces receiver port
1747
port:
1748
# -- Traces receiver credentials
1749
creds: ''
1750
metering:
1751
# -- Disable metrics export
1752
disabled: false
1753
# -- Otel configuration, can be `prometheus` or `grpc`
1754
config: prometheus
1755
# -- Prometheus endpoint port
1756
port: 8000
1757
# -- Otel collector endpoint
1758
collector: ''
1759
# -- Otel collector credentials
1760
creds: ''
1761
profiling:
1762
# -- Enable profiling
1763
enabled: false
1764
# -- Profiling endpoint port
1765
port: 6060
1766
# -- Service type.
1767
serviceType: ClusterIP
1768
# -- Service node port.
1769
# Only used if `type` is `NodePort`.
1770
nodePort:
1771
# Reports controller configuration
1772
reportsController:
1773
# -- Overrides features defined at the root level
1774
featuresOverride: {}
1775
# -- Enable reports controller.
1776
enabled: true
1777
rbac:
1778
# -- Create RBAC resources
1779
create: true
1780
# -- Create rolebinding to view role
1781
createViewRoleBinding: true
1782
# -- The view role to use in the rolebinding
1783
viewRoleName: view
1784
serviceAccount:
1785
# -- Service account name
1786
name:
1787
# -- Annotations for the ServiceAccount
1788
annotations: {}
1789
# example.com/annotation: value
1790
1791
# -- Toggle automounting of the ServiceAccount
1792
automountServiceAccountToken: true
1793
coreClusterRole:
1794
# -- Extra resource permissions to add in the core cluster role.
1795
# This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`.
1796
# @default -- See [values.yaml](values.yaml)
1797
extraResources: []
1798
clusterRole:
1799
# -- Extra resource permissions to add in the cluster role
1800
extraResources: []
1801
# - apiGroups:
1802
# - ''
1803
# resources:
1804
# - pods
1805
image:
1806
# -- Image registry
1807
registry: cgr.dev
1808
defaultRegistry: reg.kyverno.io
1809
# -- Image repository
1810
repository: chainguard-private/kyverno-reports-controller
1811
# -- (string) Image tag
1812
# Defaults to appVersion in Chart.yaml if omitted
1813
tag: latest@sha256:1bbe2a3d4818e666d8562125b10614209bd0cd8b1129ae7afaf75a61a3146fea
1814
# -- Image pull policy
1815
pullPolicy: IfNotPresent
1816
# -- Image pull secrets
1817
imagePullSecrets: []
1818
# - secretName
1819
1820
# -- (int) Desired number of pods
1821
replicas: ~
1822
# -- The number of revisions to keep
1823
revisionHistoryLimit: 10
1824
# -- Resync period for informers
1825
resyncPeriod: 15m
1826
# -- Additional labels to add to each pod
1827
podLabels: {}
1828
# example.com/label: foo
1829
1830
# -- Additional annotations to add to each pod
1831
podAnnotations: {}
1832
# example.com/annotation: foo
1833
1834
# -- Deployment annotations.
1835
annotations: {}
1836
# -- Deployment update strategy.
1837
# Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
1838
# @default -- See [values.yaml](values.yaml)
1839
updateStrategy:
1840
rollingUpdate:
1841
maxSurge: 1
1842
maxUnavailable: 40%
1843
type: RollingUpdate
1844
# -- Optional priority class
1845
priorityClassName: ''
1846
# -- Change `apiPriorityAndFairness` to `true` if you want to insulate the API calls made by Kyverno reports controller activities.
1847
# This will help ensure Kyverno reports stability in busy clusters.
1848
# Ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/
1849
apiPriorityAndFairness: false
1850
# -- Priority level configuration.
1851
# The block is directly forwarded into the priorityLevelConfiguration, so you can use whatever specification you want.
1852
# ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/#prioritylevelconfiguration
1853
# @default -- See [values.yaml](values.yaml)
1854
priorityLevelConfigurationSpec:
1855
type: Limited
1856
limited:
1857
nominalConcurrencyShares: 10
1858
limitResponse:
1859
queuing:
1860
queueLengthLimit: 50
1861
type: Queue
1862
# -- Change `hostNetwork` to `true` when you want the pod to share its host's network namespace.
1863
# Useful for situations like when you end up dealing with a custom CNI over Amazon EKS.
1864
# Update the `dnsPolicy` accordingly as well to suit the host network mode.
1865
hostNetwork: false
1866
# -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster.
1867
# In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`.
1868
# For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
1869
dnsPolicy: ClusterFirst
1870
# -- `dnsConfig` allows to specify DNS configuration for the pod.
1871
# For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config.
1872
dnsConfig: {}
1873
# options:
1874
# - name: ndots
1875
# value: "2"
1876
1877
# -- Extra arguments passed to the container on the command line
1878
extraArgs: {}
1879
# -- Additional container environment variables.
1880
extraEnvVars: []
1881
# Example setting proxy
1882
# extraEnvVars:
1883
# - name: HTTPS_PROXY
1884
# value: 'https://proxy.example.com:3128'
1885
1886
resources:
1887
# -- Pod resource limits
1888
limits:
1889
memory: 128Mi
1890
# -- Pod resource requests
1891
requests:
1892
cpu: 100m
1893
memory: 64Mi
1894
# -- Node labels for pod assignment
1895
nodeSelector:
1896
kubernetes.io/os: linux
1897
# -- List of node taints to tolerate
1898
tolerations: []
1899
antiAffinity:
1900
# -- Pod antiAffinities toggle.
1901
# Enabled by default but can be disabled if you want to schedule pods to the same node.
1902
enabled: true
1903
# -- Pod anti affinity constraints.
1904
# @default -- See [values.yaml](values.yaml)
1905
podAntiAffinity:
1906
preferredDuringSchedulingIgnoredDuringExecution:
1907
- weight: 1
1908
podAffinityTerm:
1909
labelSelector:
1910
matchExpressions:
1911
- key: app.kubernetes.io/component
1912
operator: In
1913
values:
1914
- reports-controller
1915
topologyKey: kubernetes.io/hostname
1916
# -- Pod affinity constraints.
1917
podAffinity: {}
1918
# -- Node affinity constraints.
1919
nodeAffinity: {}
1920
# -- Topology spread constraints.
1921
topologySpreadConstraints: []
1922
# -- Security context for the pod
1923
podSecurityContext: {}
1924
# -- Security context for the containers
1925
securityContext:
1926
runAsNonRoot: true
1927
privileged: false
1928
allowPrivilegeEscalation: false
1929
readOnlyRootFilesystem: true
1930
capabilities:
1931
drop:
1932
- ALL
1933
seccompProfile:
1934
type: RuntimeDefault
1935
podDisruptionBudget:
1936
# -- Enable PodDisruptionBudget.
1937
# Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.
1938
enabled: false
1939
# -- Configures the minimum available pods for disruptions.
1940
# Cannot be used if `maxUnavailable` is set.
1941
minAvailable: 1
1942
# -- Configures the maximum unavailable pods for disruptions.
1943
# Cannot be used if `minAvailable` is set.
1944
maxUnavailable:
1945
# -- Unhealthy pod eviction policy to be used.
1946
# Possible values are `IfHealthyBudget` or `AlwaysAllow`.
1947
unhealthyPodEvictionPolicy:
1948
# -- A writable volume to use for the TUF root initialization.
1949
tufRootMountPath: /.sigstore
1950
# -- Volume to be mounted in pods for TUF/cosign work.
1951
sigstoreVolume:
1952
emptyDir: {}
1953
caCertificates:
1954
# -- CA certificates to use with Kyverno deployments
1955
# This value is expected to be one large string of CA certificates
1956
data: ~
1957
# -- Volume to be mounted for CA certificates
1958
# Not used when `.Values.reportsController.caCertificates.data` is defined
1959
volume: {}
1960
# Example to use hostPath:
1961
# hostPath:
1962
# path: /etc/pki/tls/ca-certificates.crt
1963
# type: File
1964
metricsService:
1965
# -- Create service.
1966
create: true
1967
# -- Service port.
1968
# Metrics server will be exposed at this port.
1969
port: 8000
1970
# -- Service type.
1971
type: ClusterIP
1972
# -- (string) Service node port.
1973
# Only used if `type` is `NodePort`.
1974
nodePort: ~
1975
# -- Service annotations.
1976
annotations: {}
1977
# -- (string) Service traffic distribution policy.
1978
# Set to `PreferClose` to route traffic to nearby endpoints, reducing latency and cross-zone costs.
1979
trafficDistribution: ~
1980
networkPolicy:
1981
# -- When true, use a NetworkPolicy to allow ingress to the webhook
1982
# This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
1983
enabled: false
1984
# -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
1985
ingressFrom: []
1986
serviceMonitor:
1987
# -- Create a `ServiceMonitor` to collect Prometheus metrics.
1988
enabled: false
1989
# -- Additional annotations
1990
additionalAnnotations: {}
1991
# -- Additional labels
1992
additionalLabels: {}
1993
# -- (string) Override namespace
1994
namespace: ~
1995
# -- Interval to scrape metrics
1996
interval: 30s
1997
# -- Timeout if metrics can't be retrieved in given time interval
1998
scrapeTimeout: 25s
1999
# -- Is TLS required for endpoint
2000
secure: false
2001
# -- TLS Configuration for endpoint
2002
tlsConfig: {}
2003
# -- RelabelConfigs to apply to samples before scraping
2004
relabelings: []
2005
# -- MetricRelabelConfigs to apply to samples before ingestion.
2006
metricRelabelings: []
2007
tracing:
2008
# -- Enable tracing
2009
enabled: false
2010
# -- (string) Traces receiver address
2011
address: ~
2012
# -- (string) Traces receiver port
2013
port: ~
2014
# -- (string) Traces receiver credentials
2015
creds: ~
2016
metering:
2017
# -- Disable metrics export
2018
disabled: false
2019
# -- Otel configuration, can be `prometheus` or `grpc`
2020
config: prometheus
2021
# -- Prometheus endpoint port
2022
port: 8000
2023
# -- (string) Otel collector endpoint
2024
collector: ~
2025
# -- (string) Otel collector credentials
2026
creds: ~
2027
# -- reportsController server port
2028
# in case you are using hostNetwork: true, you might want to change the port the reportsController is listening to
2029
server:
2030
port: 9443
2031
profiling:
2032
# -- Enable profiling
2033
enabled: false
2034
# -- Profiling endpoint port
2035
port: 6060
2036
# -- Service type.
2037
serviceType: ClusterIP
2038
# -- Service node port.
2039
# Only used if `type` is `NodePort`.
2040
nodePort:
2041
# -- Enable sanity check for reports CRDs
2042
sanityChecks: true
2043
The trusted source for open source
Talk to an expertProduct
Customers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.