DirectorySecurity AdvisoriesPricing
Sign in
Directory
gatekeeper logoHELM

gatekeeper

Helm chart
Last changed
Request a free trial

Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.

Overview
Chart versions
Default values
Chart metadata
Images

Tag:
1
replicas: 3
2
revisionHistoryLimit: 10
3
auditInterval: 60
4
metricsBackends: ["prometheus"]
5
auditMatchKindOnly: false
6
constraintViolationsLimit: 20
7
auditFromCache: false
8
disableAudit: false
9
disableMutation: false
10
disableValidatingWebhook: false
11
validatingWebhookName: gatekeeper-validating-webhook-configuration
12
validatingWebhookTimeoutSeconds: 3
13
validatingWebhookFailurePolicy: Ignore
14
validatingWebhookAnnotations: {}
15
validatingWebhookExemptNamespacesLabels: {}
16
validatingWebhookObjectSelector: {}
17
validatingWebhookMatchConditions: []
18
validatingWebhookCheckIgnoreFailurePolicy: Fail
19
validatingWebhookCustomRules: {}
20
validatingWebhookSubResources: ["pods/ephemeralcontainers", "pods/exec", "pods/log", "pods/eviction", "pods/portforward", "pods/proxy", "pods/attach", "pods/binding", "pods/resize", "deployments/scale", "replicasets/scale", "statefulsets/scale", "replicationcontrollers/scale", "services/proxy", "nodes/proxy", "services/status"]
21
validatingWebhookURL: null
22
validatingWebhookScope: "*"
23
enableDeleteOperations: false
24
enableConnectOperations: false
25
enableExternalData: true
26
enableGeneratorResourceExpansion: true
27
enableTLSHealthcheck: false
28
maxServingThreads: -1
29
mutatingWebhookName: gatekeeper-mutating-webhook-configuration
30
mutatingWebhookFailurePolicy: Ignore
31
mutatingWebhookReinvocationPolicy: Never
32
mutatingWebhookAnnotations: {}
33
mutatingWebhookExemptNamespacesLabels: {}
34
mutatingWebhookObjectSelector: {}
35
mutatingWebhookMatchConditions: []
36
mutatingWebhookTimeoutSeconds: 1
37
mutatingWebhookCustomRules: {}
38
mutatingWebhookSubResources: ["pods/ephemeralcontainers", "pods/exec", "pods/log", "pods/eviction", "pods/portforward", "pods/proxy", "pods/attach", "pods/binding", "deployments/scale", "replicasets/scale", "statefulsets/scale", "replicationcontrollers/scale", "services/proxy", "nodes/proxy", "services/status"]
39
mutatingWebhookURL: null
40
mutatingWebhookScope: "*"
41
mutationAnnotations: false
42
auditChunkSize: 500
43
logLevel: INFO
44
logDenies: false
45
logMutations: false
46
admissionEventsInvolvedNamespace: false
47
auditEventsInvolvedNamespace: false
48
resourceQuota: true
49
externaldataProviderResponseCacheTTL: 3m
50
enableK8sNativeValidation: true
51
commonAnnotations: {}
52
extraVolumeMounts: []
53
extraVolumes: []
54
image:
55
repository: cgr.dev/chainguard-private/gatekeeper-fips
56
crdRepository: openpolicyagent/gatekeeper-crds
57
release: latest@sha256:3048e2dc9502e6a94c841e9a96e4e1ba9496dd01e25c4284ebab94fd5fabe9d8
58
pullPolicy: IfNotPresent
59
pullSecrets: []
60
preInstall:
61
crdRepository:
62
image:
63
repository: cgr.dev/chainguard-private/gatekeeper-crds-fips
64
tag: latest@sha256:851b60969315e4bd2d225fa3a33bc3659f7a1b790878367f9bc56c47e21a6510
65
postUpgrade:
66
labelNamespace:
67
serviceAccount:
68
name: gatekeeper-update-namespace-label-post-upgrade
69
create: true
70
enabled: false
71
image:
72
repository: cgr.dev/chainguard-private/gatekeeper-crds-fips
73
tag: latest@sha256:851b60969315e4bd2d225fa3a33bc3659f7a1b790878367f9bc56c47e21a6510
74
pullPolicy: IfNotPresent
75
pullSecrets: []
76
extraNamespaces: []
77
podSecurity: ["pod-security.kubernetes.io/audit=restricted", "pod-security.kubernetes.io/audit-version=latest", "pod-security.kubernetes.io/warn=restricted", "pod-security.kubernetes.io/warn-version=latest", "pod-security.kubernetes.io/enforce=restricted", "pod-security.kubernetes.io/enforce-version=v1.24"]
78
extraAnnotations: {}
79
priorityClassName: ""
80
affinity: {}
81
tolerations: []
82
nodeSelector: {kubernetes.io/os: linux}
83
resources: {}
84
securityContext:
85
allowPrivilegeEscalation: false
86
capabilities:
87
drop:
88
- ALL
89
readOnlyRootFilesystem: true
90
runAsGroup: 999
91
runAsNonRoot: true
92
runAsUser: 1000
93
postInstall:
94
labelNamespace:
95
serviceAccount:
96
name: gatekeeper-update-namespace-label
97
create: true
98
enabled: true
99
extraRules: []
100
image:
101
repository: cgr.dev/chainguard-private/gatekeeper-crds-fips
102
tag: latest@sha256:851b60969315e4bd2d225fa3a33bc3659f7a1b790878367f9bc56c47e21a6510
103
pullPolicy: IfNotPresent
104
pullSecrets: []
105
extraNamespaces: []
106
podSecurity: ["pod-security.kubernetes.io/audit=restricted", "pod-security.kubernetes.io/audit-version=latest", "pod-security.kubernetes.io/warn=restricted", "pod-security.kubernetes.io/warn-version=latest", "pod-security.kubernetes.io/enforce=restricted", "pod-security.kubernetes.io/enforce-version=v1.24"]
107
extraAnnotations: {}
108
priorityClassName: ""
109
probeWebhook:
110
enabled: true
111
image:
112
repository: cgr.dev/chainguard-private/curl-fips
113
tag: latest@sha256:fe306db47ff8e878f601e78b245c4ae03f399d730f9651b5b6cef5e3ab2a20cc
114
pullPolicy: IfNotPresent
115
pullSecrets: []
116
waitTimeout: 60
117
httpTimeout: 2
118
insecureHTTPS: false
119
priorityClassName: ""
120
affinity: {}
121
tolerations: []
122
nodeSelector: {kubernetes.io/os: linux}
123
securityContext:
124
allowPrivilegeEscalation: false
125
capabilities:
126
drop:
127
- ALL
128
readOnlyRootFilesystem: true
129
runAsGroup: 999
130
runAsNonRoot: true
131
runAsUser: 1000
132
preUninstall:
133
deleteWebhookConfigurations:
134
serviceAccount:
135
name: gatekeeper-delete-webhook-configs
136
create: true
137
extraRules: []
138
enabled: false
139
image:
140
repository: cgr.dev/chainguard-private/gatekeeper-crds-fips
141
tag: latest@sha256:851b60969315e4bd2d225fa3a33bc3659f7a1b790878367f9bc56c47e21a6510
142
pullPolicy: IfNotPresent
143
pullSecrets: []
144
priorityClassName: ""
145
affinity: {}
146
tolerations: []
147
nodeSelector: {kubernetes.io/os: linux}
148
resources: {}
149
securityContext:
150
allowPrivilegeEscalation: false
151
capabilities:
152
drop:
153
- ALL
154
readOnlyRootFilesystem: true
155
runAsGroup: 999
156
runAsNonRoot: true
157
runAsUser: 1000
158
podAnnotations: {}
159
auditPodAnnotations: {}
160
podLabels: {}
161
podCountLimit: "100"
162
secretAnnotations: {}
163
enableRuntimeDefaultSeccompProfile: true
164
controllerManager:
165
serviceAccount:
166
name: gatekeeper-admin
167
automountServiceAccountToken: true
168
containerName: manager
169
exemptNamespaces: []
170
exemptNamespacePrefixes: []
171
hostNetwork: false
172
dnsPolicy: ClusterFirst
173
port: 8443
174
metricsPort: 8888
175
healthPort: 9090
176
readinessTimeout: 1
177
livenessTimeout: 1
178
priorityClassName: system-cluster-critical
179
disableCertRotation: false
180
tlsMinVersion: 1.3
181
clientCertName: ""
182
strategyType: RollingUpdate
183
strategyRollingUpdate: {}
184
podLabels: {}
185
affinity:
186
podAntiAffinity:
187
preferredDuringSchedulingIgnoredDuringExecution:
188
- podAffinityTerm:
189
labelSelector:
190
matchExpressions:
191
- key: gatekeeper.sh/operation
192
operator: In
193
values:
194
- webhook
195
topologyKey: kubernetes.io/hostname
196
weight: 100
197
topologySpreadConstraints: []
198
tolerations: []
199
nodeSelector: {kubernetes.io/os: linux}
200
resources:
201
limits:
202
memory: 512Mi
203
requests:
204
cpu: 100m
205
memory: 512Mi
206
securityContext:
207
allowPrivilegeEscalation: false
208
capabilities:
209
drop:
210
- ALL
211
readOnlyRootFilesystem: true
212
runAsGroup: 999
213
runAsNonRoot: true
214
runAsUser: 1000
215
podSecurityContext:
216
fsGroup: 999
217
supplementalGroups:
218
- 999
219
extraRules: []
220
networkPolicy:
221
enabled: false
222
ingress: []
223
# - from:
224
# - ipBlock:
225
# cidr: 0.0.0.0/0
226
disableWebhookOperation: false
227
disableGenerateOperation: true
228
exportBackend: ""
229
audit:
230
exportConnection:
231
path: /tmp/violations/topics
232
maxAuditResults: 3
233
exportVolumeMount:
234
path: /tmp/violations
235
exportVolume:
236
name: tmp-violations
237
emptyDir: {}
238
exportSidecar:
239
name: reader
240
image: cgr.dev/chainguard-private/open-policy-agent-fake-reader-fips:latest@sha256:2bcf0e577a21a83107025a12dedd7d94fb61c609912edc2d38078e602c5289b7
241
imagePullPolicy: Always
242
securityContext:
243
allowPrivilegeEscalation: false
244
capabilities:
245
drop:
246
- ALL
247
readOnlyRootFilesystem: true
248
runAsGroup: 999
249
runAsNonRoot: true
250
runAsUser: 1000
251
seccompProfile:
252
type: RuntimeDefault
253
volumeMounts:
254
- mountPath: /tmp/violations
255
name: tmp-violations
256
serviceAccount:
257
name: gatekeeper-admin
258
automountServiceAccountToken: true
259
containerName: manager
260
hostNetwork: false
261
dnsPolicy: ClusterFirst
262
metricsPort: 8888
263
healthPort: 9090
264
readinessTimeout: 1
265
livenessTimeout: 1
266
priorityClassName: system-cluster-critical
267
disableCertRotation: false
268
podLabels: {}
269
affinity: {}
270
tolerations: []
271
nodeSelector: {kubernetes.io/os: linux}
272
resources:
273
limits:
274
memory: 512Mi
275
requests:
276
cpu: 100m
277
memory: 512Mi
278
securityContext:
279
allowPrivilegeEscalation: false
280
capabilities:
281
drop:
282
- ALL
283
readOnlyRootFilesystem: true
284
runAsGroup: 999
285
runAsNonRoot: true
286
runAsUser: 1000
287
podSecurityContext:
288
fsGroup: 999
289
supplementalGroups:
290
- 999
291
writeToRAMDisk: false
292
extraRules: []
293
disableGenerateOperation: false
294
disableAuditOperation: false
295
disableAuditSidecar: false
296
disableStatusOperation: false
297
crds:
298
affinity: {}
299
tolerations: []
300
nodeSelector: {kubernetes.io/os: linux}
301
resources: {}
302
securityContext:
303
allowPrivilegeEscalation: false
304
capabilities:
305
drop:
306
- ALL
307
readOnlyRootFilesystem: true
308
runAsGroup: 65532
309
runAsNonRoot: true
310
runAsUser: 65532
311
pdb:
312
controllerManager:
313
minAvailable: 1
314
service: {}
315
disabledBuiltins: ["{http.send}"]
316
upgradeCRDs:
317
serviceAccount:
318
create: true
319
name: gatekeeper-admin-upgrade-crds
320
enabled: true
321
extraRules: []
322
priorityClassName: ""
323
rbac:
324
create: true
325
externalCertInjection:
326
enabled: false
327
secretName: gatekeeper-webhook-server-cert
328
serviceAccount:
329
gatekeeperAdmin:
330
create: true
331

The trusted source for open source

Talk to an expert
PrivacyTerms

Product

Chainguard ContainersChainguard LibrariesChainguard VMsChainguard OS PackagesChainguard ActionsChainguard Agent SkillsIntegrationsPricing

Solutions

FedRAMPPCI DSSCMMC 2.0SOC 2Golden ImagesCVE RemediationPublic SectorStartups

Customers

Customer StoriesChainguard Reviews

Resources

Events & WebinarsSupply Chain Security 101Chainguard CoursesDocumentationTrust CenterChainguard Slack Community

Company

About UsBlogOpen Source LeadershipPartnersNewsroomCareersLegal
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.