DirectorySecurity AdvisoriesPricing
Sign in
Directory
kyverno-policies logoHELM

kyverno-policies

Helm chart
Last changed
Request a free trial

Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.

Overview
Chart versions
Default values
Chart metadata
Images

Tag:
1
# -- Policy kind (`ClusterPolicy`, `Policy`)
2
# Set to `Policy` if you need namespaced policies and not cluster policies
3
policyKind: ClusterPolicy
4
5
# -- Policy engine type (`ClusterPolicy`, `ValidatingPolicy`)
6
# Set to `ValidatingPolicy` to use CEL-based policies (requires Kyverno 1.17+)
7
# ClusterPolicy will be deprecated in Kyverno 1.17
8
# Default: ClusterPolicy (for backward compatibility)
9
policyType: ClusterPolicy
10
11
# -- Pod Security Standard profile (`baseline`, `restricted`, `privileged`, `custom`).
12
# For more info https://kyverno.io/policies/pod-security.
13
podSecurityStandard: baseline
14
15
# -- Pod Security Standard severity (`low`, `medium`, `high`).
16
podSecuritySeverity: medium
17
18
# -- Define podSecuritySeverity overrides for specific policies.
19
# Override the global `podSecuritySeverity` with an individual severity for individual policies.
20
# An empty string per-policy entry suppresses the annotation entirely.
21
podSecuritySeverityByPolicy: {}
22
# disallow-host-path: high
23
# disallow-privileged-containers: high
24
25
# -- Policies to include when `podSecurityStandard` is `custom`.
26
podSecurityPolicies: []
27
28
# -- Additional policies to include from `other`.
29
includeOtherPolicies: []
30
# - require-non-root-groups
31
32
# -- Additional policies to include from `restricted`.
33
includeRestrictedPolicies: []
34
# - require-run-as-non-root-user
35
36
# -- Additional custom policies to include.
37
customPolicies: []
38
# - apiVersion: kyverno.io/v1
39
# kind: ClusterPolicy
40
# metadata: # metadata
41
# spec: # spec
42
43
# -- API server behavior if the webhook fails to respond ('Ignore', 'Fail')
44
# For more info: https://kyverno.io/docs/policy-types/cluster-policy/policy-settings/
45
failurePolicy: Fail
46
47
# -- Validation failure action (`Audit`, `Enforce`).
48
# For more info https://kyverno.io/docs/policy-types/cluster-policy/validate.
49
validationFailureAction: Audit
50
51
# -- Define validationFailureActionByPolicy for specific policies.
52
# Override the defined `validationFailureAction` with a individual validationFailureAction for individual Policies.
53
validationFailureActionByPolicy: {}
54
# disallow-capabilities-strict: Enforce
55
# disallow-host-path: Enforce
56
# disallow-host-ports: Enforce
57
58
# -- Define validationFailureActionOverrides for specific policies.
59
# The overrides for `all` will apply to all policies.
60
validationFailureActionOverrides:
61
all: []
62
# all:
63
# - action: Audit
64
# namespaces:
65
# - ingress-nginx
66
# disallow-host-path:
67
# - action: Audit
68
# namespaces:
69
# - fluent
70
71
# -- Default audit annotations applied to all ValidatingPolicy policies (policyType: ValidatingPolicy only).
72
# Map of annotation key to CEL valueExpression. Audit annotations are recorded in the API server audit log.
73
# For more info https://kyverno.io/docs/policy-types/validating-policy/#using-auditannotations-to-add-custom-data
74
auditAnnotations: {}
75
# policy-evaluated-by: "'kyverno-policies-helm'"
76
77
# -- Define audit annotations for specific ValidatingPolicy policies (policyType: ValidatingPolicy only).
78
# Per-policy entries override defaults when they share the same key.
79
auditAnnotationsByPolicy: {}
80
# disallow-host-path:
81
# violation-details: >-
82
# has(object.spec.volumes) ? 'hostPath volumes found: ' + object.spec.volumes.filter(v, has(v.hostPath)).map(v, v.name).join(', ') : 'no volumes'
83
84
# -- Validate already existing resources.
85
# For more info https://kyverno.io/docs/policy-types/.
86
validationAllowExistingViolations: true
87
88
# -- Exclude resources from individual policies (policyType: ClusterPolicy only).
89
# Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyExclude` map.
90
# NOTE: This setting only applies when policyType is set to ClusterPolicy. For ValidatingPolicy, use vpolExclude/vpolExcludeByPolicy instead.
91
policyExclude: {}
92
# # Exclude resources from individual policies
93
# disallow-host-path:
94
# all:
95
# - resources:
96
# kinds:
97
# - Pod
98
# namespaces:
99
# - fluent
100
# # Policies with multiple rules can have individual rules excluded
101
# adding-capabilities-strict:
102
# any:
103
# - resources:
104
# kinds:
105
# - Pod
106
# namespaces:
107
# - kube-system
108
109
# -- Default excludes applied to ALL ValidatingPolicy policies (policyType: ValidatingPolicy only).
110
# NOTE: This setting only applies when policyType is set to ValidatingPolicy. For ClusterPolicy, use policyExclude instead.
111
# Supports the following optional keys:
112
# excludeResourceRules: list of Kubernetes NamedRuleWithOperations (native VAP excludes)
113
# excludeNamespaces: list of namespace names to exclude (generates CEL matchCondition)
114
# excludeSubjects: list of subjects to exclude (generates CEL matchCondition)
115
# matchConditions: list of CEL matchConditions for advanced filtering (passthrough of custom condition)
116
# Per-policy overrides via vpolExcludeByPolicy replace these defaults entirely for that policy.
117
vpolExclude: {}
118
# excludeNamespaces:
119
# - kube-system
120
# excludeSubjects:
121
# - kind: Group
122
# name: system:masters
123
124
# -- Per-policy excludes for individual ValidatingPolicy policies (policyType: ValidatingPolicy only).
125
# When set for a policy, it completely replaces the global vpolExclude defaults for that policy.
126
# NOTE: This setting only applies when policyType is set to ValidatingPolicy. For ClusterPolicy, use policyExclude instead.
127
# Each policy name maps to an object with the same keys as vpolExclude.
128
vpolExcludeByPolicy: {}
129
# disallow-host-path:
130
# excludeResourceRules:
131
# - apiGroups:
132
# - ""
133
# apiVersions:
134
# - v1
135
# operations:
136
# - CREATE
137
# - UPDATE
138
# resources:
139
# - pods
140
# # optional - exact resource names to exclude
141
# resourceNames:
142
# - specific-pod-name
143
# excludeNamespaces:
144
# - kube-system
145
# - monitoring
146
# excludeSubjects:
147
# - kind: Group
148
# name: system:masters
149
# - kind: User
150
# name: admin@example.com
151
# - kind: ServiceAccount
152
# namespace: kube-system
153
# name: default
154
# matchConditions:
155
# - name: exclude-custom
156
# expression: "!object.metadata.name.startsWith('temp-')"
157
158
# -- Add preconditions to individual policies.
159
# Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyPreconditions` map.
160
policyPreconditions: {}
161
# # Exclude resources from individual policies
162
# require-run-as-non-root-user:
163
# all:
164
# - key: "{{ request.object.metadata.name }}"
165
# operator: NotEquals
166
# value: "dcgm-exporter*"
167
# # Policies with multiple rules can have individual rules excluded
168
# require-drop-all:
169
# any:
170
# - key: "{{ request.object.metadata.name }}"
171
# operator: NotEquals
172
# value: "dcgm-exporter*"
173
# adding-capabilities-strict:
174
# all:
175
# - key: "{{ request.object.metadata.name }}"
176
# operator: NotEquals
177
# value: "dcgm-exporter*"
178
179
# -- Customize the target Pod controllers for the auto-generated rules. (Eg. `none`, `Deployment`, `DaemonSet,Deployment,StatefulSet`)
180
# For more info https://kyverno.io/docs/policy-types/cluster-policy/autogen/.
181
autogenControllers: ""
182
183
# -- Name override.
184
nameOverride:
185
186
# -- Additional Annotations.
187
customAnnotations: {}
188
189
# -- Define custom annotations for specific policies.
190
# Per-policy entries override defaults when they share the same key.
191
customAnnotationsByPolicy: {}
192
# disallow-host-path:
193
# my-custom-annotation: "some-value"
194
195
# -- Additional labels.
196
customLabels: {}
197
198
# -- Policies background mode
199
background: true
200
201
# -- (bool) SkipBackgroundRequests bypasses admission requests that are sent by the background controller
202
skipBackgroundRequests: ~
203
204
# -- Kyverno version
205
# The default of "autodetect" will try to determine the currently installed version from the deployment
206
kyvernoVersion: autodetect
207
208
# -- Kubernetes version override
209
# Override default value of kubeVersion set by release team taken from Chart.yaml with custom value. Ideally range of versions no more than two prior (ex., 1.28-1.31), must be enclosed in quotes.
210
kubeVersionOverride:
211

The trusted source for open source

Talk to an expert
PrivacyTerms

Product

Chainguard ContainersChainguard LibrariesChainguard VMsChainguard OS PackagesChainguard ActionsChainguard Agent SkillsIntegrationsPricing

Solutions

FedRAMPPCI DSSCMMC 2.0SOC 2Golden ImagesCVE RemediationPublic SectorStartups

Customers

Customer StoriesChainguard Reviews

Resources

Events & WebinarsSupply Chain Security 101Chainguard CoursesDocumentationTrust CenterChainguard Slack Community

Company

About UsBlogOpen Source LeadershipPartnersNewsroomCareersLegal
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.