kyverno

Helm chart

Last changed

Request a free trial

Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.

Tag:

global:

# -- Internal settings used with `helm template` to generate install manifest

# @ignored

templating:

enabled: false

debug: false

version: ~

image:

# -- (string) Global value that allows to set a single image registry across all deployments.

# When set, it will override any values set under `.image.registry` across the chart.

registry: ~

# -- (list) Global list of Image pull secrets

# When set, it will override any values set under `imagePullSecrets` under different components across the chart.

imagePullSecrets: []

# -- Resync period for informers

resyncPeriod: 15m

# -- Enable/Disable custom resource watcher to invalidate cache

crdWatcher: false

caCertificates:

# -- Global CA certificates to use with Kyverno deployments

# This value is expected to be one large string of CA certificates

# Individual controller values will override this global value

data: ~

# -- Global value to set single volume to be mounted for CA certificates for all deployments.

# Not used when `.Values.global.caCertificates.data` is defined

# Individual controller values will override this global value

volume: {}

# Example to use hostPath:

# hostPath:

# path: /etc/pki/tls/ca-certificates.crt

# type: File

# -- Global priority class name for pod priority. Non-global values will override the global value.

priorityClassName: ''

# -- Additional container environment variables to apply to all containers and init containers

extraEnvVars: []

# Example setting proxy

# extraEnvVars:

# - name: HTTPS_PROXY

# value: 'https://proxy.example.com:3128'

# -- Global node labels for pod assignment. Non-global values will override the global value.

nodeSelector: {}

# -- Global List of node taints to tolerate. Non-global values will override the global value.

tolerations: []

# -- (string) Override the name of the chart

nameOverride: ~

# -- (string) Override the expanded name of the chart

fullnameOverride: ~

# -- (string) Override the namespace the chart deploys to

namespaceOverride: ~

upgrade:

# -- Upgrading from v2 to v3 is not allowed by default, set this to true once changes have been reviewed.

fromV2: false

apiVersionOverride:

# -- (string) Override api version used to create `PodDisruptionBudget`` resources.

# When not specified the chart will check if `policy/v1/PodDisruptionBudget` is available to

# determine the api version automatically.

podDisruptionBudget: ~

rbac:

roles:

# -- Aggregate ClusterRoles to Kubernetes default user-facing roles. For more information, see [User-facing roles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles)

aggregate:

admin: true

view: true

# Use openreports.io as the API group for reporting

openreports:

# -- Enable OpenReports feature in controllers

enabled: false

# -- Whether to install CRDs from the upstream OpenReports chart. Setting this to true requires enabled to also be true.

installCrds: false

# Reports Server configuration

reportsServer:

# -- Enable reports-server deployment alongside Kyverno

enabled: false

# -- Wait for reports-server to be ready before starting Kyverno components

waitForReady: true

# -- Timeout for waiting for reports-server readiness (as duration string, e.g. 300s, 5m)

readinessTimeout: 300s

# CRDs configuration

crds:

# -- Whether to have Helm install the Kyverno CRDs, if the CRDs are not installed by Helm, they must be added before policies can be created

install: true

reportsServer:

# -- Kyverno reports-server is used in your cluster

enabled: false

groups:

# -- Install CRDs in group `kyverno.io`

kyverno:

cleanuppolicies: true

clustercleanuppolicies: true

clusterpolicies: true

globalcontextentries: true

policies: true

policyexceptions: true

updaterequests: true

# -- Install CRDs in group `policies.kyverno.io`

policies:

validatingpolicies: true

policyexceptions: true

100

imagevalidatingpolicies: true

101

namespacedimagevalidatingpolicies: true

102

mutatingpolicies: true

103

namespacedmutatingpolicies: true

104

generatingpolicies: true

105

deletingpolicies: true

106

namespaceddeletingpolicies: true

107

namespacedvalidatingpolicies: true

108

# -- Install CRDs in group `reports.kyverno.io`

109

reports:

110

clusterephemeralreports: true

111

ephemeralreports: true

112

# -- Install CRDs in group `wgpolicyk8s.io`

113

wgpolicyk8s:

114

clusterpolicyreports: true

115

policyreports: true

116

# -- Additional CRDs annotations

117

annotations: {}

118

# argocd.argoproj.io/sync-options: Replace=true

119

# strategy.spinnaker.io/replace: 'true'

120

121

# -- Additional CRDs labels

122

customLabels: {}

123

migration:

124

# -- Enable CRDs migration using helm post upgrade hook

125

enabled: true

126

# -- Resources to migrate

127

resources:

128

- cleanuppolicies.kyverno.io

129

- clustercleanuppolicies.kyverno.io

130

- clusterpolicies.kyverno.io

131

- globalcontextentries.kyverno.io

132

- policies.kyverno.io

133

- policyexceptions.kyverno.io

134

- updaterequests.kyverno.io

135

# policies.kyverno.io

136

- deletingpolicies.policies.kyverno.io

137

- generatingpolicies.policies.kyverno.io

138

- imagevalidatingpolicies.policies.kyverno.io

139

- mutatingpolicies.policies.kyverno.io

140

- namespaceddeletingpolicies.policies.kyverno.io

141

- namespacedgeneratingpolicies.policies.kyverno.io

142

- namespacedimagevalidatingpolicies.policies.kyverno.io

143

- namespacedmutatingpolicies.policies.kyverno.io

144

- namespacedvalidatingpolicies.policies.kyverno.io

145

- policyexceptions.policies.kyverno.io

146

- validatingpolicies.policies.kyverno.io

147

image:

148

# -- (string) Image registry

149

registry: cgr.dev

150

defaultRegistry: reg.kyverno.io

151

# -- (string) Image repository

152

repository: scratch-images/test-tmp/kyverno-cli

153

# -- (string) Image tag

154

# Defaults to appVersion in Chart.yaml if omitted

155

tag: 1.18.0-r1@sha256:07dace408af85bb8b1c4388709a48a9f5f5f3a5be85527236d97603e3db879e5

156

# -- (string) Image pull policy

157

pullPolicy: IfNotPresent

158

# -- Image pull secrets

159

imagePullSecrets: []

160

# - name: secretName

161

162

# -- Security context for the pod

163

podSecurityContext: {}

164

# -- Node labels for pod assignment

165

nodeSelector: {}

166

# -- List of node taints to tolerate

167

tolerations: []

168

# -- Pod anti affinity constraints.

169

podAntiAffinity: {}

170

# -- Pod affinity constraints.

171

podAffinity: {}

172

# -- Pod labels.

173

podLabels: {}

174

# -- Pod annotations.

175

podAnnotations: {}

176

# -- Node affinity constraints.

177

nodeAffinity: {}

178

# -- Security context for the hook containers

179

securityContext:

180

runAsUser: 65534

181

runAsGroup: 65534

182

runAsNonRoot: true

183

privileged: false

184

allowPrivilegeEscalation: false

185

readOnlyRootFilesystem: true

186

capabilities:

187

drop:

188

- ALL

189

seccompProfile:

190

type: RuntimeDefault

191

podResources:

192

# -- Pod resource limits

193

limits:

194

cpu: 100m

195

memory: 256Mi

196

# -- Pod resource requests

197

requests:

198

cpu: 10m

199

memory: 64Mi

200

serviceAccount:

201

# -- Toggle automounting of the ServiceAccount.

202

# When set to false, a projected service account token is used instead

203

# which provides time-limited and audience-bound tokens for improved security.

204

automountServiceAccountToken: true

205

# -- Projected service account token configuration (only used when automountServiceAccountToken is false)

206

projectedServiceAccountToken:

207

# -- Token expiration time in seconds.

208

# The kubelet will request a new token before the token expires.

209

expirationSeconds: 3600

210

# -- Audience for the projected service account token.

211

# If not set, the token will have no audience restriction.

212

audience: ""

213

# -- Scoped token injected into outbound APICall and CEL http requests.

214

# This token carries a custom audience so that if leaked to an external service

215

# it cannot be replayed against the Kubernetes API server.

216

apiCallToken:

217

# -- Audience for the projected token used in outbound requests.

218

# Set this to the audience your receiving service validates in the OIDC token's

219

# `aud` claim. The default is `kyverno-svc.kyverno.io`, which is a Kyverno-specific

220

# audience and prevents the token from being accepted by the Kubernetes API server.

221

audience: "kyverno-svc.kyverno.io"

222

# -- Token lifetime in seconds for the projected outbound API call token.

223

# The default is `3600` (1 hour). The kubelet requests a replacement before the

224

# token expires, so lowering this reduces token lifetime while increasing rotation

225

# frequency.

226

expirationSeconds: 3600

227

# Configuration

228

config:

229

# -- Create the configmap.

230

create: true

231

# -- Preserve the configmap settings during upgrade.

232

preserve: true

233

# -- (string) The configmap name (required if `create` is `false`).

234

235

# -- Additional annotations to add to the configmap.

236

annotations: {}

237

# -- Enable registry mutation for container images. Enabled by default.

238

enableDefaultRegistryMutation: true

239

# -- The registry hostname used for the image mutation.

240

defaultRegistry: docker.io

241

# -- Exclude groups

242

excludeGroups:

243

- system:nodes

244

# -- Exclude usernames

245

excludeUsernames: []

246

# - '!system:kube-scheduler'

247

248

# -- Exclude roles

249

excludeRoles: []

250

# -- Exclude roles

251

excludeClusterRoles: []

252

# -- Generate success events.

253

generateSuccessEvents: false

254

# -- Comma-separated list of event actions for which success events should be generated.

255

# When set, only success events matching the specified actions are emitted.

256

# Requires `generateSuccessEvents` to be `true`.

257

# Valid values: "Resource Mutated", "Resource Passed", "Resource Generated", "Resource Cleaned Up".

258

# Example: "Resource Mutated" or "Resource Mutated,Resource Generated".

259

# @default -- "" (empty, all success events are emitted when generateSuccessEvents is true)

260

successEventActions: ""

261

# -- Maximum cumulative size of context data during policy evaluation.

262

# Supports Kubernetes quantity format (e.g., 100Mi, 2Gi) or plain bytes (e.g., 2097152).

263

# Limits memory used by context variables to prevent unbounded growth.

264

# Increase if policies legitimately need large context data (e.g., processing large ConfigMaps).

265

# Set to 0 to disable the limit (not recommended for production).

266

# @default -- 2Mi

267

maxContextSize: ~

268

# -- Resource types to be skipped by the Kyverno policy engine.

269

# Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list.

270

# These are joined together without spaces, run through `tpl`, and the result is set in the config map.

271

# @default -- See [values.yaml](values.yaml)

272

resourceFilters:

273

- '[Event,*,*]'

274

- '[*/*,kube-system,*]'

275

- '[*/*,kube-public,*]'

276

- '[*/*,kube-node-lease,*]'

277

- '[Node,*,*]'

278

- '[Node/?*,*,*]'

279

- '[APIService,*,*]'

280

- '[APIService/?*,*,*]'

281

- '[TokenReview,*,*]'

282

- '[SubjectAccessReview,*,*]'

283

- '[SelfSubjectAccessReview,*,*]'

284

- '[Binding,*,*]'

285

- '[Pod/binding,*,*]'

286

- '[ReplicaSet,*,*]'

287

- '[ReplicaSet/?*,*,*]'

288

- '[EphemeralReport,*,*]'

289

- '[ClusterEphemeralReport,*,*]'

290

# exclude resources from the chart

291

- '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}]'

292

- '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}:core]'

293

- '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}:additional]'

294

- '[ClusterRole,*,{{ template "kyverno.background-controller.roleName" . }}]'

295

- '[ClusterRole,*,{{ template "kyverno.background-controller.roleName" . }}:core]'

296

- '[ClusterRole,*,{{ template "kyverno.background-controller.roleName" . }}:additional]'

297

- '[ClusterRole,*,{{ template "kyverno.cleanup-controller.roleName" . }}]'

298

- '[ClusterRole,*,{{ template "kyverno.cleanup-controller.roleName" . }}:core]'

299

- '[ClusterRole,*,{{ template "kyverno.cleanup-controller.roleName" . }}:additional]'

300

- '[ClusterRole,*,{{ template "kyverno.reports-controller.roleName" . }}]'

301

- '[ClusterRole,*,{{ template "kyverno.reports-controller.roleName" . }}:core]'

302

- '[ClusterRole,*,{{ template "kyverno.reports-controller.roleName" . }}:additional]'

303

- '[ClusterRoleBinding,*,{{ template "kyverno.admission-controller.roleName" . }}]'

304

- '[ClusterRoleBinding,*,{{ template "kyverno.background-controller.roleName" . }}]'

305

- '[ClusterRoleBinding,*,{{ template "kyverno.cleanup-controller.roleName" . }}]'

306

- '[ClusterRoleBinding,*,{{ template "kyverno.reports-controller.roleName" . }}]'

307

- '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceAccountName" . }}]'

308

- '[ServiceAccount/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceAccountName" . }}]'

309

- '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.serviceAccountName" . }}]'

310

- '[ServiceAccount/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.serviceAccountName" . }}]'

311

- '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.serviceAccountName" . }}]'

312

- '[ServiceAccount/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.serviceAccountName" . }}]'

313

- '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.serviceAccountName" . }}]'

314

- '[ServiceAccount/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.serviceAccountName" . }}]'

315

- '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.roleName" . }}]'

316

- '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.roleName" . }}]'

317

- '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.roleName" . }}]'

318

- '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.roleName" . }}]'

319

- '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.roleName" . }}]'

320

- '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.roleName" . }}]'

321

- '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.roleName" . }}]'

322

- '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.roleName" . }}]'

323

- '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.config.configMapName" . }}]'

324

- '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.config.metricsConfigMapName" . }}]'

325

- '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'

326

- '[Deployment/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'

327

- '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'

328

- '[Deployment/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'

329

- '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'

330

- '[Deployment/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'

331

- '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'

332

- '[Deployment/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'

333

- '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}-*]'

334

- '[Pod/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}-*]'

335

- '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-*]'

336

- '[Pod/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-*]'

337

- '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-*]'

338

- '[Pod/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-*]'

339

- '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-*]'

340

- '[Pod/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-*]'

341

- '[Job,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-hook-pre-delete]'

342

- '[Job/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-hook-pre-delete]'

343

- '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'

344

- '[NetworkPolicy/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'

345

- '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'

346

- '[NetworkPolicy/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'

347

- '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'

348

- '[NetworkPolicy/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'

349

- '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'

350

- '[NetworkPolicy/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'

351

- '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'

352

- '[PodDisruptionBudget/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'

353

- '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'

354

- '[PodDisruptionBudget/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'

355

- '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'

356

- '[PodDisruptionBudget/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'

357

- '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'

358

- '[PodDisruptionBudget/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'

359

- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}]'

360

- '[Service/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}]'

361

- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}-metrics]'

362

- '[Service/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}-metrics]'

363

- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-metrics]'

364

- '[Service/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-metrics]'

365

- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'

366

- '[Service/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'

367

- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-metrics]'

368

- '[Service/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-metrics]'

369

- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-metrics]'

370

- '[Service/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-metrics]'

371

- '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.admission-controller.name" . }}]'

372

373

374

375

- '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.*]'

376

- '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.*]'

377

# -- Sets the threshold for the total number of UpdateRequests generated for mutateExisitng and generate policies.

378

updateRequestThreshold: 1000

379

# -- Defines the `namespaceSelector`/`objectSelector` in the webhook configurations.

380

# The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default)

381

webhooks:

382

# Exclude namespaces

383

namespaceSelector:

384

matchExpressions:

385

- key: kubernetes.io/metadata.name

386

operator: NotIn

387

values:

388

- kube-system

389

# Exclude objects

390

# objectSelector:

391

# matchExpressions:

392

# - key: webhooks.kyverno.io/exclude

393

# operator: DoesNotExist

394

# -- Defines annotations to set on webhook configurations.

395

webhookAnnotations:

396

# Example to disable admission enforcer on AKS:

397

'admissions.enforcer/disabled': 'true'

398

# -- Defines labels to set on webhook configurations.

399

webhookLabels: {}

400

# Example to adopt webhook resources in ArgoCD:

401

# 'argocd.argoproj.io/instance': 'kyverno'

402

403

# -- Defines match conditions to set on webhook configurations (requires Kubernetes 1.27+).

404

matchConditions: []

405

# -- Exclude Kyverno namespace

406

# Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters

407

excludeKyvernoNamespace: true

408

# -- resourceFilter namespace exclude

409

# Namespaces to exclude from the default resourceFilters

410

resourceFiltersExcludeNamespaces: []

411

# -- resourceFilters exclude list

412

# Items to exclude from config.resourceFilters

413

resourceFiltersExclude: []

414

# -- resourceFilter namespace include

415

# Namespaces to include to the default resourceFilters

416

resourceFiltersIncludeNamespaces: []

417

# -- resourceFilters include list

418

# Items to include to config.resourceFilters

419

resourceFiltersInclude: []

420

# Metrics configuration

421

metricsConfig:

422

# -- Create the configmap.

423

create: true

424

# -- (string) The configmap name (required if `create` is `false`).

425

426

# -- Additional annotations to add to the configmap.

427

annotations: {}

428

namespaces:

429

# -- List of namespaces to capture metrics for.

430

include: []

431

# -- list of namespaces to NOT capture metrics for.

432

433

# -- (string) Rate at which metrics should reset so as to clean up the memory footprint of kyverno metrics, if you might be expecting high memory footprint of Kyverno's metrics. Default: 0, no refresh of metrics. WARNING: This flag is not working since Kyverno 1.8.0

434

metricsRefreshInterval: ~

435

# metricsRefreshInterval: 24h

436

437

# -- (list) Configures the bucket boundaries for all Histogram metrics, changing this configuration requires restart of the kyverno admission controller

438

bucketBoundaries: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10, 15, 20, 25, 30]

439

# -- (map) Configures the exposure of individual metrics, by default all metrics and all labels are exported, changing this configuration requires restart of the kyverno admission controller

440

metricsExposure:

441

kyverno_policy_execution_duration_seconds:

442

# bucketBoundaries: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5]

443

disabledLabelDimensions: ["resource_namespace", "resource_request_operation"]

444

kyverno_validating_policy_execution_duration_seconds:

445

# bucketBoundaries: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5]

446

disabledLabelDimensions: ["resource_namespace", "resource_request_operation"]

447

kyverno_image_validating_policy_execution_duration_seconds:

448

# bucketBoundaries: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5]

449

disabledLabelDimensions: ["resource_namespace", "resource_request_operation"]

450

kyverno_mutating_policy_execution_duration_seconds:

451

# bucketBoundaries: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5]

452

disabledLabelDimensions: ["resource_namespace", "resource_request_operation"]

453

kyverno_generating_policy_execution_duration_seconds:

454

# bucketBoundaries: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5]

455

disabledLabelDimensions: ["resource_namespace", "resource_request_operation"]

456

kyverno_admission_review_duration_seconds:

457

# enabled: false

458

disabledLabelDimensions: ["resource_namespace"]

459

kyverno_policy_rule_info_total:

460

disabledLabelDimensions: ["resource_namespace", "policy_namespace"]

461

kyverno_policy_results_total:

462

disabledLabelDimensions: ["resource_namespace", "policy_namespace"]

463

kyverno_admission_requests_total:

464

disabledLabelDimensions: ["resource_namespace"]

465

kyverno_cleanup_controller_deletedobjects_total:

466

disabledLabelDimensions: ["resource_namespace", "policy_namespace"]

467

# -- Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument

468

imagePullSecrets: {}

469

# regcred:

470

# registry: foo.example.com

471

# username: foobar

472

# password: secret

473

# regcred2:

474

# registry: bar.example.com

475

# username: barbaz

476

# password: secret2

477

478

# -- Existing Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument

479

existingImagePullSecrets: []

480

# - test-registry

481

# - other-test-registry

482

483

# Tests configuration

484

test:

485

# -- Sleep time before running test

486

sleep: 20

487

image:

488

# -- (string) Image registry

489

registry: cgr.dev

490

# -- Image repository

491

repository: scratch-images/test-tmp/kyverno-readiness-checker

492

# -- Image tag

493

# Defaults to `latest` if omitted

494

tag: 1.18.0-r1@sha256:07e2f2e0b22029293f375fdb3640c58252523869909899546c971f5ae8127e46

495

# -- (string) Image pull policy

496

# Defaults to image.pullPolicy if omitted

497

pullPolicy: ~

498

# -- Image pull secrets

499

imagePullSecrets: []

500

# - name: secretName

501

502

resources:

503

# -- Pod resource limits

504

limits:

505

cpu: 100m

506

memory: 256Mi

507

# -- Pod resource requests

508

requests:

509

cpu: 10m

510

memory: 64Mi

511

# -- Security context for the test containers

512

securityContext:

513

runAsUser: 65534

514

runAsGroup: 65534

515

runAsNonRoot: true

516

privileged: false

517

allowPrivilegeEscalation: false

518

readOnlyRootFilesystem: true

519

capabilities:

520

drop:

521

- ALL

522

seccompProfile:

523

type: RuntimeDefault

524

# -- Toggle automounting of the ServiceAccount.

525

# When set to false, a projected service account token is used instead

526

# which provides time-limited and audience-bound tokens for improved security.

527

automountServiceAccountToken: true

528

# -- Projected service account token configuration (only used when automountServiceAccountToken is false)

529

projectedServiceAccountToken:

530

# -- Token expiration time in seconds.

531

# The kubelet will request a new token before the token expires.

532

expirationSeconds: 3600

533

# -- Audience for the projected service account token.

534

# If not set, the token will have no audience restriction.

535

audience: ""

536

# -- Node labels for pod assignment

537

nodeSelector: {}

538

# -- Additional Pod annotations

539

podAnnotations: {}

540

# -- List of node taints to tolerate

541

tolerations: []

542

# -- Additional labels

543

customLabels: {}

544

webhooksCleanup:

545

# -- Create a helm pre-delete hook to cleanup webhooks.

546

enabled: true

547

image:

548

# -- (string) Image registry

549

registry: cgr.dev

550

# -- Image repository

551

repository: scratch-images/test-tmp/kubectl

552

# -- Image tag

553

# Defaults to `latest` if omitted

554

tag: 1.36.0-r0@sha256:7a93e691227757aa829b9dc7826e90fc4234d4616b951bf09dc0c358e822c848

555

# -- (string) Image pull policy

556

# Defaults to image.pullPolicy if omitted

557

pullPolicy: ~

558

# -- Image pull secrets

559

imagePullSecrets: []

560

# -- Security context for the pod

561

podSecurityContext: {}

562

# -- Node labels for pod assignment

563

nodeSelector: {}

564

# -- List of node taints to tolerate

565

tolerations: []

566

# -- Pod anti affinity constraints.

567

podAntiAffinity: {}

568

# -- Pod affinity constraints.

569

podAffinity: {}

570

# -- Pod labels.

571

podLabels: {}

572

# -- Pod annotations.

573

podAnnotations: {}

574

# -- Node affinity constraints.

575

nodeAffinity: {}

576

# -- Security context for the hook containers

577

securityContext:

578

runAsUser: 65534

579

runAsGroup: 65534

580

runAsNonRoot: true

581

privileged: false

582

allowPrivilegeEscalation: false

583

readOnlyRootFilesystem: true

584

capabilities:

585

drop:

586

- ALL

587

seccompProfile:

588

type: RuntimeDefault

589

resources:

590

# -- Pod resource limits

591

limits:

592

cpu: 100m

593

memory: 256Mi

594

# -- Pod resource requests

595

requests:

596

cpu: 10m

597

memory: 64Mi

598

serviceAccount:

599

# -- Toggle automounting of the ServiceAccount.

600

# When set to false, a projected service account token is used instead

601

# which provides time-limited and audience-bound tokens for improved security.

602

automountServiceAccountToken: true

603

# -- Projected service account token configuration (only used when automountServiceAccountToken is false)

604

projectedServiceAccountToken:

605

# -- Token expiration time in seconds.

606

# The kubelet will request a new token before the token expires.

607

expirationSeconds: 3600

608

# -- Audience for the projected service account token.

609

# If not set, the token will have no audience restriction.

610

audience: ""

611

grafana:

612

# -- Enable grafana dashboard creation.

613

enabled: false

614

# -- Configmap name template.

615

configMapName: '{{ include "kyverno.fullname" . }}-grafana'

616

# -- (string) Namespace to create the grafana dashboard configmap.

617

# If not set, it will be created in the same namespace where the chart is deployed.

618

namespace: ~

619

# -- Grafana dashboard configmap annotations.

620

annotations: {}

621

# -- Grafana dashboard configmap labels

622

labels:

623

grafana_dashboard: "1"

624

# -- create GrafanaDashboard custom resource referencing to the configMap.

625

# according to https://grafana-operator.github.io/grafana-operator/docs/examples/dashboard_from_configmap/readme/

626

grafanaDashboard:

627

create: false

628

folder: kyverno

629

allowCrossNamespaceImport: true

630

matchLabels:

631

dashboards: "grafana"

632

# Features configuration

633

features:

634

admissionReports:

635

# -- Enables the feature

636

enabled: true

637

aggregateReports:

638

# -- Enables the feature

639

enabled: true

640

policyReports:

641

# -- Enables the feature

642

enabled: true

643

validatingAdmissionPolicyReports:

644

# -- Enables the feature

645

enabled: true

646

mutatingAdmissionPolicyReports:

647

# -- Enables the feature

648

enabled: false

649

reporting:

650

# -- Enables the feature

651

validate: true

652

# -- Enables the feature

653

mutate: true

654

# -- Enables the feature

655

mutateExisting: true

656

# -- Enables the feature

657

imageVerify: true

658

# -- Enables the feature

659

generate: true

660

autoUpdateWebhooks:

661

# -- Enables the feature

662

enabled: true

663

backgroundScan:

664

# -- Enables the feature

665

enabled: true

666

# -- Number of background scan workers

667

backgroundScanWorkers: 2

668

# -- Background scan interval

669

backgroundScanInterval: 1h

670

# -- Skips resource filters in background scan

671

skipResourceFilters: true

672

configMapCaching:

673

# -- Enables the feature

674

enabled: true

675

controllerRuntimeMetrics:

676

# -- Bind address for controller-runtime metrics (use "0" to disable it)

677

bindAddress: ":8080"

678

deferredLoading:

679

# -- Enables the feature

680

enabled: true

681

dumpPayload:

682

# -- Enables the feature

683

enabled: false

684

forceFailurePolicyIgnore:

685

# -- Enables the feature

686

enabled: false

687

generateValidatingAdmissionPolicy:

688

# -- Enables the feature

689

enabled: true

690

generateMutatingAdmissionPolicy:

691

# -- Enables the feature

692

enabled: false

693

dumpPatches:

694

# -- Enables the feature

695

enabled: false

696

globalContext:

697

# -- Maximum allowed response size from API Calls. A value of 0 bypasses checks (not recommended)

698

maxApiCallResponseLength: 2000000

699

# -- Timeout for HTTP API calls made by policies. A value of 0s means no timeout.

700

apiCallTimeout: 30s

701

logging:

702

# -- Logging format

703

format: text

704

# -- Logging verbosity

705

verbosity: 2

706

omitEvents:

707

# -- Events which should not be emitted (possible values `PolicyViolation`, `PolicyApplied`, `PolicyError`, and `PolicySkipped`)

708

eventTypes:

709

- PolicyApplied

710

- PolicySkipped

711

# - PolicyViolation

712

# - PolicyError

713

policyExceptions:

714

# -- Enables the feature

715

enabled: false

716

# -- Restrict policy exceptions to a single namespace

717

# Set to "*" to allow exceptions in all namespaces

718

namespace: ''

719

protectManagedResources:

720

# -- Enables the feature

721

enabled: false

722

registryClient:

723

# -- Allow insecure registry

724

allowInsecure: false

725

# -- Enable registry client helpers

726

credentialHelpers:

727

- default

728

- google

729

- amazon

730

- azure

731

- github

732

ttlController:

733

# -- Reconciliation interval for the label based cleanup manager

734

reconciliationInterval: 1m

735

tuf:

736

# -- Enables the feature

737

enabled: false

738

# -- (string) Path to Tuf root

739

root: ~

740

# -- (string) Raw Tuf root

741

rootRaw: ~

742

# -- (string) Tuf mirror

743

mirror: ~

744

# Admission controller configuration

745

admissionController:

746

autoscaling:

747

# -- Enable horizontal pod autoscaling

748

enabled: false

749

# -- Minimum number of pods

750

minReplicas: 1

751

# -- Maximum number of pods

752

maxReplicas: 10

753

# -- Target CPU utilization percentage

754

targetCPUUtilizationPercentage: 80

755

# -- (int) Target memory utilization percentage

756

targetMemoryUtilizationPercentage: ~

757

# -- Configurable scaling behavior

758

behavior: {}

759

# -- Overrides features defined at the root level

760

featuresOverride:

761

admissionReports:

762

# -- Max number of admission reports allowed in flight until the admission controller stops creating new ones

763

backPressureThreshold: 1000

764

rbac:

765

# -- Create RBAC resources

766

create: true

767

# -- Create rolebinding to view role

768

createViewRoleBinding: true

769

# -- The view role to use in the rolebinding

770

viewRoleName: view

771

serviceAccount:

772

# -- The ServiceAccount name

773

name:

774

# -- Annotations for the ServiceAccount

775

annotations: {}

776

# example.com/annotation: value

777

778

# -- Toggle automounting of the ServiceAccount.

779

# When set to false, a projected service account token is used instead

780

# which provides time-limited and audience-bound tokens for improved security.

781

automountServiceAccountToken: true

782

# -- Projected service account token configuration (only used when automountServiceAccountToken is false)

783

projectedServiceAccountToken:

784

# -- Token expiration time in seconds.

785

# The kubelet will request a new token before the token expires.

786

expirationSeconds: 3600

787

# -- Audience for the projected service account token.

788

# If not set, the token will have no audience restriction.

789

audience: ""

790

coreClusterRole:

791

# -- Extra resource permissions to add in the core cluster role.

792

# This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`.

793

# @default -- See [values.yaml](values.yaml)

794

extraResources: []

795

clusterRole:

796

# -- Extra resource permissions to add in the cluster role

797

extraResources: []

798

# - apiGroups:

799

# - ''

800

# resources:

801

# - pods

802

# verbs:

803

# - create

804

# - update

805

# - delete

806

# -- Create self-signed certificates at deployment time.

807

# The certificates won't be automatically renewed if this is set to `true`.

808

createSelfSignedCert: false

809

# -- Key algorithm for self-signed TLS certificates.

810

# Supported values: RSA, ECDSA, Ed25519

811

# Only used when createSelfSignedCert is false (Kyverno-managed certificates).

812

tlsKeyAlgorithm: RSA

813

# -- Configure cert-manager to manage TLS certificates.

814

# When enabled, cert-manager Certificate resources will be created to provision

815

# the TLS certificates for the admission controller.

816

# Requires cert-manager to be installed in the cluster.

817

# Takes precedence over createSelfSignedCert when enabled.

818

certManager:

819

# -- Enable cert-manager integration for certificate management

820

enabled: false

821

# -- Create a self-signed ClusterIssuer for CA generation.

822

# Set to false if you want to use an existing issuer specified in issuerRef.

823

createSelfSignedIssuer: true

824

# -- Reference to an existing issuer for signing CA certificates.

825

# Only used when createSelfSignedIssuer is false.

826

issuerRef:

827

# -- Name of the issuer

828

829

# -- Kind of the issuer (ClusterIssuer or Issuer)

830

kind: ClusterIssuer

831

# -- Group of the issuer

832

group: cert-manager.io

833

# -- Key algorithm for certificates (RSA, ECDSA, Ed25519)

834

algorithm: RSA

835

# -- Key size for RSA (2048, 4096) or ECDSA (256, 384).

836

# Ignored for Ed25519.

837

size: 2048

838

# -- CA certificate configuration

839

ca:

840

# -- Duration of the CA certificate (default 10 years)

841

duration: 87600h

842

# -- Time before expiry to renew the CA certificate (default 30 days)

843

renewBefore: 720h

844

# -- TLS certificate configuration

845

tls:

846

# -- Duration of the TLS certificate (default 1 year)

847

duration: 8760h

848

# -- Time before expiry to renew the TLS certificate (default 30 days)

849

renewBefore: 720h

850

# -- (int) Desired number of pods

851

replicas: ~

852

# -- The number of revisions to keep

853

revisionHistoryLimit: 10

854

# -- Resync period for informers

855

resyncPeriod: 15m

856

# -- Enable/Disable custom resource watcher to invalidate cache

857

crdWatcher: false

858

# -- Additional labels to add to each pod

859

podLabels: {}

860

# example.com/label: foo

861

862

# -- Additional annotations to add to each pod

863

podAnnotations: {}

864

# example.com/annotation: foo

865

866

# -- Deployment labels.

867

labels: {}

868

# -- Deployment annotations.

869

annotations: {}

870

# -- Deployment update strategy.

871

# Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy

872

# @default -- See [values.yaml](values.yaml)

873

updateStrategy:

874

rollingUpdate:

875

maxSurge: 1

876

maxUnavailable: 40%

877

type: RollingUpdate

878

# -- Optional priority class

879

priorityClassName: ''

880

# -- Change `apiPriorityAndFairness` to `true` if you want to insulate the API calls made by Kyverno admission controller activities.

881

# This will help ensure Kyverno stability in busy clusters.

882

# Ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/

883

apiPriorityAndFairness: false

884

# -- Priority level configuration.

885

# The block is directly forwarded into the priorityLevelConfiguration, so you can use whatever specification you want.

886

# ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/#prioritylevelconfiguration

887

# @default -- See [values.yaml](values.yaml)

888

priorityLevelConfigurationSpec:

889

type: Limited

890

limited:

891

nominalConcurrencyShares: 10

892

limitResponse:

893

queuing:

894

queueLengthLimit: 50

895

type: Queue

896

# -- Change `hostNetwork` to `true` when you want the pod to share its host's network namespace.

897

# Useful for situations like when you end up dealing with a custom CNI over Amazon EKS.

898

# Update the `dnsPolicy` accordingly as well to suit the host network mode.

899

hostNetwork: false

900

# -- admissionController webhook server port

901

# in case you are using hostNetwork: true, you might want to change the port the webhookServer is listening to

902

webhookServer:

903

port: 9443

904

# -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster.

905

# In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`.

906

# For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.

907

dnsPolicy: ClusterFirst

908

# -- `dnsConfig` allows to specify DNS configuration for the pod.

909

# For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config.

910

dnsConfig: {}

911

# options:

912

# - name: ndots

913

# value: "2"

914

915

# -- Startup probe.

916

# The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want.

917

# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/

918

# @default -- See [values.yaml](values.yaml)

919

startupProbe:

920

httpGet:

921

path: /health/liveness

922

port: 9443

923

scheme: HTTPS

924

failureThreshold: 20

925

initialDelaySeconds: 2

926

periodSeconds: 6

927

# -- Liveness probe.

928

# The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want.

929

# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/

930

# @default -- See [values.yaml](values.yaml)

931

livenessProbe:

932

httpGet:

933

path: /health/liveness

934

port: 9443

935

scheme: HTTPS

936

initialDelaySeconds: 15

937

periodSeconds: 30

938

timeoutSeconds: 5

939

failureThreshold: 2

940

successThreshold: 1

941

# -- Readiness Probe.

942

# The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want.

943

# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/

944

# @default -- See [values.yaml](values.yaml)

945

readinessProbe:

946

httpGet:

947

path: /health/readiness

948

port: 9443

949

scheme: HTTPS

950

initialDelaySeconds: 5

951

periodSeconds: 10

952

timeoutSeconds: 5

953

failureThreshold: 6

954

successThreshold: 1

955

# -- Node labels for pod assignment

956

nodeSelector:

957

kubernetes.io/os: linux

958

# -- List of node taints to tolerate

959

tolerations: []

960

antiAffinity:

961

# -- Pod antiAffinities toggle.

962

# Enabled by default but can be disabled if you want to schedule pods to the same node.

963

enabled: true

964

# -- Pod anti affinity constraints.

965

# @default -- See [values.yaml](values.yaml)

966

podAntiAffinity:

967

preferredDuringSchedulingIgnoredDuringExecution:

968

- weight: 1

969

podAffinityTerm:

970

labelSelector:

971

matchExpressions:

972

- key: app.kubernetes.io/component

973

operator: In

974

values:

975

- admission-controller

976

topologyKey: kubernetes.io/hostname

977

# -- Pod affinity constraints.

978

podAffinity: {}

979

# -- Node affinity constraints.

980

nodeAffinity: {}

981

# -- Topology spread constraints.

982

topologySpreadConstraints: []

983

# -- Security context for the pod

984

podSecurityContext: {}

985

podDisruptionBudget:

986

# -- Enable PodDisruptionBudget.

987

# Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.

988

enabled: false

989

# -- Configures the minimum available pods for disruptions.

990

# Cannot be used if `maxUnavailable` is set.

991

minAvailable: 1

992

# -- Configures the maximum unavailable pods for disruptions.

993

# Cannot be used if `minAvailable` is set.

994

maxUnavailable:

995

# -- Unhealthy pod eviction policy to be used.

996

# Possible values are `IfHealthyBudget` or `AlwaysAllow`.

997

unhealthyPodEvictionPolicy:

998

# -- A writable volume to use for the TUF root initialization.

999

tufRootMountPath: /.sigstore

1000

# -- Volume to be mounted in pods for TUF/cosign work.

1001

sigstoreVolume:

1002

emptyDir: {}

1003

caCertificates:

1004

# -- CA certificates to use with Kyverno deployments

1005

# This value is expected to be one large string of CA certificates

1006

data: ~

1007

# -- Volume to be mounted for CA certificates

1008

# Not used when `.Values.admissionController.caCertificates.data` is defined

1009

volume: {}

1010

# Example to use hostPath:

1011

# hostPath:

1012

# path: /etc/pki/tls/ca-certificates.crt

1013

# type: File

1014

# -- Image pull secrets

1015

imagePullSecrets: []

1016

# - secretName

1017

1018

initContainer:

1019

image:

1020

# -- Image registry

1021

registry: cgr.dev

1022

defaultRegistry: reg.kyverno.io

1023

# -- Image repository

1024

repository: scratch-images/test-tmp/kyvernopre

1025

# -- (string) Image tag

1026

# If missing, defaults to image.tag

1027

tag: 1.18.0-r1@sha256:2c42583af12dae0872eb3ee9d81161c8f77e0d52f840a40e3dbf29fb9805cf82

1028

# -- (string) Image pull policy

1029

# If missing, defaults to image.pullPolicy

1030

pullPolicy: ~

1031

resources:

1032

# -- Pod resource limits

1033

limits:

1034

cpu: 100m

1035

memory: 256Mi

1036

# -- Pod resource requests

1037

requests:

1038

cpu: 10m

1039

memory: 64Mi

1040

# -- Container security context

1041

securityContext:

1042

runAsUser: 65534

1043

runAsGroup: 65534

1044

runAsNonRoot: true

1045

privileged: false

1046

allowPrivilegeEscalation: false

1047

readOnlyRootFilesystem: true

1048

capabilities:

1049

drop:

1050

- ALL

1051

seccompProfile:

1052

type: RuntimeDefault

1053

# -- Additional container args.

1054

extraArgs: {}

1055

# -- Additional container environment variables.

1056

extraEnvVars: []

1057

# Example setting proxy

1058

# extraEnvVars:

1059

# - name: HTTPS_PROXY

1060

# value: 'https://proxy.example.com:3128'

1061

container:

1062

image:

1063

# -- Image registry

1064

registry: cgr.dev

1065

defaultRegistry: reg.kyverno.io

1066

# -- Image repository

1067

repository: scratch-images/test-tmp/kyverno

1068

# -- (string) Image tag

1069

# Defaults to appVersion in Chart.yaml if omitted

1070

tag: 1.18.0-r1@sha256:e711bf0773531be81cbedb8abf746a82ffdffa572f650bfc727d49d0d7a31c6d

1071

# -- Image pull policy

1072

pullPolicy: IfNotPresent

1073

resources:

1074

# -- Pod resource limits

1075

limits:

1076

memory: 384Mi

1077

# -- Pod resource requests

1078

requests:

1079

cpu: 100m

1080

memory: 128Mi

1081

# -- Container security context

1082

securityContext:

1083

runAsUser: 65534

1084

runAsGroup: 65534

1085

runAsNonRoot: true

1086

privileged: false

1087

allowPrivilegeEscalation: false

1088

readOnlyRootFilesystem: true

1089

capabilities:

1090

drop:

1091

- ALL

1092

seccompProfile:

1093

type: RuntimeDefault

1094

# -- Additional container args.

1095

extraArgs: {}

1096

# -- Additional container environment variables.

1097

extraEnvVars: []

1098

# Example setting proxy

1099

# extraEnvVars:

1100

# - name: HTTPS_PROXY

1101

# value: 'https://proxy.example.com:3128'

1102

# -- Array of extra init containers

1103

extraInitContainers: []

1104

# - name: init-container

1105

# image: busybox

1106

# command: ['sh', '-c', 'echo Hello']

1107

1108

# -- Array of extra containers to run alongside kyverno

1109

extraContainers: []

1110

# - name: myapp-container

1111

# image: busybox

1112

# command: ['sh', '-c', 'echo Hello && sleep 3600']

1113

1114

# -- Additional volumes to be mounted in the pod

1115

extraVolumes: []

1116

# - name: my-volume

1117

# emptyDir: {}

1118

1119

# -- Additional volumeMounts to be mounted to the main container

1120

extraVolumeMounts: []

1121

# - name: my-volume

1122

# mountPath: /path/to/mount

1123

1124

service:

1125

# -- Service port.

1126

port: 443

1127

# -- Service type.

1128

type: ClusterIP

1129

# -- Service node port.

1130

# Only used if `type` is `NodePort`.

1131

nodePort:

1132

# -- Service annotations.

1133

annotations: {}

1134

# -- (string) Service traffic distribution policy.

1135

# Set to `PreferClose` to route traffic to nearby endpoints, reducing latency and cross-zone costs.

1136

trafficDistribution: ~

1137

metricsService:

1138

# -- Create service.

1139

create: true

1140

# -- Service port.

1141

# Kyverno's metrics server will be exposed at this port.

1142

port: 8000

1143

# -- Service type.

1144

type: ClusterIP

1145

# -- Service node port.

1146

# Only used if `type` is `NodePort`.

1147

nodePort:

1148

# -- Service annotations.

1149

annotations: {}

1150

# -- (string) Service traffic distribution policy.

1151

# Set to `PreferClose` to route traffic to nearby endpoints, reducing latency and cross-zone costs.

1152

trafficDistribution: ~

1153

networkPolicy:

1154

# -- When true, use a NetworkPolicy to allow ingress to the webhook

1155

# This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.

1156

enabled: false

1157

# -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.

1158

ingressFrom: []

1159

serviceMonitor:

1160

# -- Create a `ServiceMonitor` to collect Prometheus metrics.

1161

enabled: false

1162

# -- Additional annotations

1163

additionalAnnotations: {}

1164

# -- Additional labels

1165

additionalLabels: {}

1166

# -- (string) Override namespace

1167

namespace: ~

1168

# -- Interval to scrape metrics

1169

interval: 30s

1170

# -- Timeout if metrics can't be retrieved in given time interval

1171

scrapeTimeout: 25s

1172

# -- Is TLS required for endpoint

1173

secure: false

1174

# -- TLS Configuration for endpoint

1175

tlsConfig: {}

1176

# -- RelabelConfigs to apply to samples before scraping

1177

relabelings: []

1178

# -- MetricRelabelConfigs to apply to samples before ingestion.

1179

metricRelabelings: []

1180

tracing:

1181

# -- Enable tracing

1182

enabled: false

1183

# -- Traces receiver address

1184

address:

1185

# -- Traces receiver port

1186

port:

1187

# -- Traces receiver credentials

1188

creds: ''

1189

metering:

1190

# -- Disable metrics export

1191

disabled: false

1192

# -- Otel configuration, can be `prometheus` or `grpc`

1193

config: prometheus

1194

# -- Prometheus endpoint port

1195

port: 8000

1196

# -- Is TLS required for endpoint

1197

secure: false

1198

# -- Key algorithm for self-signed TLS certificates.

1199

# Supported values: RSA, ECDSA, Ed25519

1200

tlsKeyAlgorithm: RSA

1201

# -- Otel collector endpoint

1202

collector: ''

1203

# -- Otel collector credentials

1204

creds: ''

1205

profiling:

1206

# -- Enable profiling

1207

enabled: false

1208

# -- Profiling endpoint port

1209

port: 6060

1210

# -- Service type.

1211

serviceType: ClusterIP

1212

# -- Service node port.

1213

# Only used if `type` is `NodePort`.

1214

nodePort:

1215

# Background controller configuration

1216

backgroundController:

1217

# -- Overrides features defined at the root level

1218

featuresOverride: {}

1219

# -- Enable background controller.

1220

enabled: true

1221

rbac:

1222

# -- Create RBAC resources

1223

create: true

1224

# -- Create rolebinding to view role

1225

createViewRoleBinding: true

1226

# -- The view role to use in the rolebinding

1227

viewRoleName: view

1228

serviceAccount:

1229

# -- Service account name

1230

name:

1231

# -- Annotations for the ServiceAccount

1232

annotations: {}

1233

# example.com/annotation: value

1234

1235

# -- Toggle automounting of the ServiceAccount.

1236

# When set to false, a projected service account token is used instead

1237

# which provides time-limited and audience-bound tokens for improved security.

1238

automountServiceAccountToken: true

1239

# -- Projected service account token configuration (only used when automountServiceAccountToken is false)

1240

projectedServiceAccountToken:

1241

# -- Token expiration time in seconds.

1242

# The kubelet will request a new token before the token expires.

1243

expirationSeconds: 3600

1244

# -- Audience for the projected service account token.

1245

# If not set, the token will have no audience restriction.

1246

audience: ""

1247

coreClusterRole:

1248

# -- Extra resource permissions to add in the core cluster role.

1249

# This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`.

1250

# @default -- See [values.yaml](values.yaml)

1251

extraResources:

1252

- apiGroups:

1253

- networking.k8s.io

1254

resources:

1255

- ingresses

1256

- ingressclasses

1257

- networkpolicies

1258

verbs:

1259

- create

1260

- update

1261

- patch

1262

- delete

1263

- apiGroups:

1264

- rbac.authorization.k8s.io

1265

resources:

1266

- rolebindings

1267

- roles

1268

verbs:

1269

- create

1270

- update

1271

- patch

1272

- delete

1273

- apiGroups:

1274

- ''

1275

resources:

1276

- configmaps

1277

- resourcequotas

1278

- limitranges

1279

verbs:

1280

- create

1281

- update

1282

- patch

1283

- delete

1284

- apiGroups:

1285

- resource.k8s.io

1286

resources:

1287

- resourceclaims

1288

- resourceclaimtemplates

1289

verbs:

1290

- create

1291

- delete

1292

- update

1293

- patch

1294

- deletecollection

1295

clusterRole:

1296

# -- Extra resource permissions to add in the cluster role

1297

extraResources: []

1298

# - apiGroups:

1299

# - ''

1300

# resources:

1301

# - pods

1302

# verbs:

1303

# - create

1304

# - update

1305

# - delete

1306

# - patch

1307

image:

1308

# -- Image registry

1309

registry: cgr.dev

1310

defaultRegistry: reg.kyverno.io

1311

# -- Image repository

1312

repository: scratch-images/test-tmp/kyverno-background-controller

1313

# -- Image tag

1314

# Defaults to appVersion in Chart.yaml if omitted

1315

tag: 1.18.0-r1@sha256:16579a383cdf1453f488d310bbf625257f151aff0853eb7f0702915efc9e39f2

1316

# -- Image pull policy

1317

pullPolicy: IfNotPresent

1318

# -- Image pull secrets

1319

imagePullSecrets: []

1320

# - secretName

1321

1322

# -- (int) Desired number of pods

1323

replicas: ~

1324

# -- The number of revisions to keep

1325

revisionHistoryLimit: 10

1326

# -- Resync period for informers

1327

resyncPeriod: 15m

1328

# -- Additional labels to add to each pod

1329

podLabels: {}

1330

# example.com/label: foo

1331

1332

# -- Additional annotations to add to each pod

1333

podAnnotations: {}

1334

# example.com/annotation: foo

1335

1336

# -- Deployment labels.

1337

labels: {}

1338

# -- Deployment annotations.

1339

annotations: {}

1340

# -- Deployment update strategy.

1341

# Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy

1342

# @default -- See [values.yaml](values.yaml)

1343

updateStrategy:

1344

rollingUpdate:

1345

maxSurge: 1

1346

maxUnavailable: 40%

1347

type: RollingUpdate

1348

# -- Optional priority class

1349

priorityClassName: ''

1350

# -- Change `hostNetwork` to `true` when you want the pod to share its host's network namespace.

1351

# Useful for situations like when you end up dealing with a custom CNI over Amazon EKS.

1352

# Update the `dnsPolicy` accordingly as well to suit the host network mode.

1353

hostNetwork: false

1354

# -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster.

1355

# In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`.

1356

# For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.

1357

dnsPolicy: ClusterFirst

1358

# -- `dnsConfig` allows to specify DNS configuration for the pod.

1359

# For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config.

1360

dnsConfig: {}

1361

# options:

1362

# - name: ndots

1363

# value: "2"

1364

1365

# -- Extra arguments passed to the container on the command line

1366

extraArgs: {}

1367

# -- Additional container environment variables.

1368

extraEnvVars: []

1369

# Example setting proxy

1370

# extraEnvVars:

1371

# - name: HTTPS_PROXY

1372

# value: 'https://proxy.example.com:3128'

1373

1374

resources:

1375

# -- Pod resource limits

1376

limits:

1377

memory: 128Mi

1378

# -- Pod resource requests

1379

requests:

1380

cpu: 100m

1381

memory: 64Mi

1382

# -- Node labels for pod assignment

1383

nodeSelector:

1384

kubernetes.io/os: linux

1385

# -- List of node taints to tolerate

1386

tolerations: []

1387

antiAffinity:

1388

# -- Pod antiAffinities toggle.

1389

# Enabled by default but can be disabled if you want to schedule pods to the same node.

1390

enabled: true

1391

# -- Pod anti affinity constraints.

1392

# @default -- See [values.yaml](values.yaml)

1393

podAntiAffinity:

1394

preferredDuringSchedulingIgnoredDuringExecution:

1395

- weight: 1

1396

podAffinityTerm:

1397

labelSelector:

1398

matchExpressions:

1399

- key: app.kubernetes.io/component

1400

operator: In

1401

values:

1402

- background-controller

1403

topologyKey: kubernetes.io/hostname

1404

# -- Pod affinity constraints.

1405

podAffinity: {}

1406

# -- Node affinity constraints.

1407

nodeAffinity: {}

1408

# -- Topology spread constraints.

1409

topologySpreadConstraints: []

1410

# -- Security context for the pod

1411

podSecurityContext: {}

1412

# -- Security context for the containers

1413

securityContext:

1414

runAsUser: 65534

1415

runAsGroup: 65534

1416

runAsNonRoot: true

1417

privileged: false

1418

allowPrivilegeEscalation: false

1419

readOnlyRootFilesystem: true

1420

capabilities:

1421

drop:

1422

- ALL

1423

seccompProfile:

1424

type: RuntimeDefault

1425

podDisruptionBudget:

1426

# -- Enable PodDisruptionBudget.

1427

# Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.

1428

enabled: false

1429

# -- Configures the minimum available pods for disruptions.

1430

# Cannot be used if `maxUnavailable` is set.

1431

minAvailable: 1

1432

# -- Configures the maximum unavailable pods for disruptions.

1433

# Cannot be used if `minAvailable` is set.

1434

maxUnavailable:

1435

# -- Unhealthy pod eviction policy to be used.

1436

# Possible values are `IfHealthyBudget` or `AlwaysAllow`.

1437

unhealthyPodEvictionPolicy:

1438

caCertificates:

1439

# -- CA certificates to use with Kyverno deployments

1440

# This value is expected to be one large string of CA certificates

1441

data: ~

1442

# -- Volume to be mounted for CA certificates

1443

# Not used when `.Values.backgroundController.caCertificates.data` is defined

1444

volume: {}

1445

# Example to use hostPath:

1446

# hostPath:

1447

# path: /etc/pki/tls/ca-certificates.crt

1448

# type: File

1449

# -- Additional volumes to be mounted in the pod

1450

extraVolumes: []

1451

# - name: my-volume

1452

# emptyDir: {}

1453

1454

# -- Additional volumeMounts to be mounted to the main container

1455

extraVolumeMounts: []

1456

# - name: my-volume

1457

# mountPath: /path/to/mount

1458

1459

metricsService:

1460

# -- Create service.

1461

create: true

1462

# -- Service port.

1463

# Metrics server will be exposed at this port.

1464

port: 8000

1465

# -- Service type.

1466

type: ClusterIP

1467

# -- Service node port.

1468

# Only used if `metricsService.type` is `NodePort`.

1469

nodePort:

1470

# -- Service annotations.

1471

annotations: {}

1472

# -- (string) Service traffic distribution policy.

1473

# Set to `PreferClose` to route traffic to nearby endpoints, reducing latency and cross-zone costs.

1474

trafficDistribution: ~

1475

networkPolicy:

1476

# -- When true, use a NetworkPolicy to allow ingress to the webhook

1477

# This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.

1478

enabled: false

1479

# -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.

1480

ingressFrom: []

1481

serviceMonitor:

1482

# -- Create a `ServiceMonitor` to collect Prometheus metrics.

1483

enabled: false

1484

# -- Additional annotations

1485

additionalAnnotations: {}

1486

# -- Additional labels

1487

additionalLabels: {}

1488

# -- (string) Override namespace

1489

namespace: ~

1490

# -- Interval to scrape metrics

1491

interval: 30s

1492

# -- Timeout if metrics can't be retrieved in given time interval

1493

scrapeTimeout: 25s

1494

# -- Is TLS required for endpoint

1495

secure: false

1496

# -- TLS Configuration for endpoint

1497

tlsConfig: {}

1498

# -- RelabelConfigs to apply to samples before scraping

1499

relabelings: []

1500

# -- MetricRelabelConfigs to apply to samples before ingestion.

1501

metricRelabelings: []

1502

tracing:

1503

# -- Enable tracing

1504

enabled: false

1505

# -- Traces receiver address

1506

address:

1507

# -- Traces receiver port

1508

port:

1509

# -- Traces receiver credentials

1510

creds: ''

1511

metering:

1512

# -- Disable metrics export

1513

disabled: false

1514

# -- Otel configuration, can be `prometheus` or `grpc`

1515

config: prometheus

1516

# -- Prometheus endpoint port

1517

port: 8000

1518

# -- Is TLS required for endpoint

1519

secure: false

1520

# -- Key algorithm for self-signed TLS certificates.

1521

# Supported values: RSA, ECDSA, Ed25519

1522

tlsKeyAlgorithm: RSA

1523

# -- Otel collector endpoint

1524

collector: ''

1525

# -- Otel collector credentials

1526

creds: ''

1527

# -- backgroundController server port

1528

# in case you are using hostNetwork: true, you might want to change the port the backgroundController is listening to

1529

server:

1530

port: 9443

1531

profiling:

1532

# -- Enable profiling

1533

enabled: false

1534

# -- Profiling endpoint port

1535

port: 6060

1536

# -- Service type.

1537

serviceType: ClusterIP

1538

# -- Service node port.

1539

# Only used if `type` is `NodePort`.

1540

nodePort:

1541

# Cleanup controller configuration

1542

cleanupController:

1543

# -- Overrides features defined at the root level

1544

featuresOverride: {}

1545

# -- Enable cleanup controller.

1546

enabled: true

1547

rbac:

1548

# -- Create RBAC resources

1549

create: true

1550

serviceAccount:

1551

# -- Service account name

1552

name:

1553

# -- Annotations for the ServiceAccount

1554

annotations: {}

1555

# example.com/annotation: value

1556

1557

# -- Toggle automounting of the ServiceAccount.

1558

# When set to false, a projected service account token is used instead

1559

# which provides time-limited and audience-bound tokens for improved security.

1560

automountServiceAccountToken: true

1561

# -- Projected service account token configuration (only used when automountServiceAccountToken is false)

1562

projectedServiceAccountToken:

1563

# -- Token expiration time in seconds.

1564

# The kubelet will request a new token before the token expires.

1565

expirationSeconds: 3600

1566

# -- Audience for the projected service account token.

1567

# If not set, the token will have no audience restriction.

1568

audience: ""

1569

clusterRole:

1570

# -- Extra resource permissions to add in the cluster role

1571

extraResources: []

1572

# - apiGroups:

1573

# - ''

1574

# resources:

1575

# - pods

1576

# verbs:

1577

# - delete

1578

# - list

1579

# - watch

1580

# -- Create self-signed certificates at deployment time.

1581

# The certificates won't be automatically renewed if this is set to `true`.

1582

createSelfSignedCert: false

1583

# -- Key algorithm for self-signed TLS certificates.

1584

# Supported values: RSA, ECDSA, Ed25519

1585

# Only used when createSelfSignedCert is false (Kyverno-managed certificates).

1586

tlsKeyAlgorithm: RSA

1587

# -- Configure cert-manager to manage TLS certificates.

1588

# When enabled, cert-manager Certificate resources will be created to provision

1589

# the TLS certificates for the cleanup controller.

1590

# Requires cert-manager to be installed in the cluster.

1591

# Takes precedence over createSelfSignedCert when enabled.

1592

certManager:

1593

# -- Enable cert-manager integration for certificate management

1594

enabled: false

1595

# -- Create a self-signed ClusterIssuer for CA generation.

1596

# Set to false if you want to use an existing issuer specified in issuerRef.

1597

createSelfSignedIssuer: true

1598

# -- Reference to an existing issuer for signing CA certificates.

1599

# Only used when createSelfSignedIssuer is false.

1600

issuerRef:

1601

# -- Name of the issuer

1602

1603

# -- Kind of the issuer (ClusterIssuer or Issuer)

1604

kind: ClusterIssuer

1605

# -- Group of the issuer

1606

group: cert-manager.io

1607

# -- Key algorithm for certificates (RSA, ECDSA, Ed25519)

1608

algorithm: RSA

1609

# -- Key size for RSA (2048, 4096) or ECDSA (256, 384).

1610

# Ignored for Ed25519.

1611

size: 2048

1612

# -- CA certificate configuration

1613

ca:

1614

# -- Duration of the CA certificate (default 10 years)

1615

duration: 87600h

1616

# -- Time before expiry to renew the CA certificate (default 30 days)

1617

renewBefore: 720h

1618

# -- TLS certificate configuration

1619

tls:

1620

# -- Duration of the TLS certificate (default 1 year)

1621

duration: 8760h

1622

# -- Time before expiry to renew the TLS certificate (default 30 days)

1623

renewBefore: 720h

1624

image:

1625

# -- Image registry

1626

registry: cgr.dev

1627

defaultRegistry: reg.kyverno.io

1628

# -- Image repository

1629

repository: scratch-images/test-tmp/kyverno-cleanup-controller

1630

# -- (string) Image tag

1631

# Defaults to appVersion in Chart.yaml if omitted

1632

tag: 1.18.0-r1@sha256:d886ec9eb5fbe61d95fd815e4548a4064cab4554064983671eefcd842bacc18e

1633

# -- Image pull policy

1634

pullPolicy: IfNotPresent

1635

# -- Image pull secrets

1636

imagePullSecrets: []

1637

# - secretName

1638

1639

# -- (int) Desired number of pods

1640

replicas: ~

1641

# -- The number of revisions to keep

1642

revisionHistoryLimit: 10

1643

# -- Resync period for informers

1644

resyncPeriod: 15m

1645

# -- Additional labels to add to each pod

1646

podLabels: {}

1647

# example.com/label: foo

1648

1649

# -- Additional annotations to add to each pod

1650

podAnnotations: {}

1651

# example.com/annotation: foo

1652

1653

# -- Deployment labels.

1654

labels: {}

1655

# -- Deployment annotations.

1656

annotations: {}

1657

# -- Deployment update strategy.

1658

# Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy

1659

# @default -- See [values.yaml](values.yaml)

1660

updateStrategy:

1661

rollingUpdate:

1662

maxSurge: 1

1663

maxUnavailable: 40%

1664

type: RollingUpdate

1665

# -- Optional priority class

1666

priorityClassName: ''

1667

# -- Change `hostNetwork` to `true` when you want the pod to share its host's network namespace.

1668

# Useful for situations like when you end up dealing with a custom CNI over Amazon EKS.

1669

# Update the `dnsPolicy` accordingly as well to suit the host network mode.

1670

hostNetwork: false

1671

# -- cleanupController server port

1672

# in case you are using hostNetwork: true, you might want to change the port the cleanupController is listening to

1673

server:

1674

port: 9443

1675

# -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster.

1676

# In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`.

1677

# For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.

1678

dnsPolicy: ClusterFirst

1679

# -- `dnsConfig` allows to specify DNS configuration for the pod.

1680

# For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config.

1681

dnsConfig: {}

1682

# options:

1683

# - name: ndots

1684

# value: "2"

1685

1686

# -- Extra arguments passed to the container on the command line

1687

extraArgs: {}

1688

# -- Additional container environment variables.

1689

extraEnvVars: []

1690

# Example setting proxy

1691

# extraEnvVars:

1692

# - name: HTTPS_PROXY

1693

# value: 'https://proxy.example.com:3128'

1694

1695

resources:

1696

# -- Pod resource limits

1697

limits:

1698

memory: 128Mi

1699

# -- Pod resource requests

1700

requests:

1701

cpu: 100m

1702

memory: 64Mi

1703

# -- Startup probe.

1704

# The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want.

1705

# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/

1706

# @default -- See [values.yaml](values.yaml)

1707

startupProbe:

1708

httpGet:

1709

path: /health/liveness

1710

port: 9443

1711

scheme: HTTPS

1712

failureThreshold: 20

1713

initialDelaySeconds: 2

1714

periodSeconds: 6

1715

# -- Liveness probe.

1716

# The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want.

1717

# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/

1718

# @default -- See [values.yaml](values.yaml)

1719

livenessProbe:

1720

httpGet:

1721

path: /health/liveness

1722

port: 9443

1723

scheme: HTTPS

1724

initialDelaySeconds: 15

1725

periodSeconds: 30

1726

timeoutSeconds: 5

1727

failureThreshold: 2

1728

successThreshold: 1

1729

# -- Readiness Probe.

1730

# The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want.

1731

# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/

1732

# @default -- See [values.yaml](values.yaml)

1733

readinessProbe:

1734

httpGet:

1735

path: /health/readiness

1736

port: 9443

1737

scheme: HTTPS

1738

initialDelaySeconds: 5

1739

periodSeconds: 10

1740

timeoutSeconds: 5

1741

failureThreshold: 6

1742

successThreshold: 1

1743

# -- Node labels for pod assignment

1744

nodeSelector:

1745

kubernetes.io/os: linux

1746

# -- List of node taints to tolerate

1747

tolerations: []

1748

antiAffinity:

1749

# -- Pod antiAffinities toggle.

1750

# Enabled by default but can be disabled if you want to schedule pods to the same node.

1751

enabled: true

1752

# -- Pod anti affinity constraints.

1753

# @default -- See [values.yaml](values.yaml)

1754

podAntiAffinity:

1755

preferredDuringSchedulingIgnoredDuringExecution:

1756

- weight: 1

1757

podAffinityTerm:

1758

labelSelector:

1759

matchExpressions:

1760

- key: app.kubernetes.io/component

1761

operator: In

1762

values:

1763

- cleanup-controller

1764

topologyKey: kubernetes.io/hostname

1765

# -- Pod affinity constraints.

1766

podAffinity: {}

1767

# -- Node affinity constraints.

1768

nodeAffinity: {}

1769

# -- Topology spread constraints.

1770

topologySpreadConstraints: []

1771

# -- Security context for the pod

1772

podSecurityContext: {}

1773

# -- Security context for the containers

1774

securityContext:

1775

runAsUser: 65534

1776

runAsGroup: 65534

1777

runAsNonRoot: true

1778

privileged: false

1779

allowPrivilegeEscalation: false

1780

readOnlyRootFilesystem: true

1781

capabilities:

1782

drop:

1783

- ALL

1784

seccompProfile:

1785

type: RuntimeDefault

1786

podDisruptionBudget:

1787

# -- Enable PodDisruptionBudget.

1788

# Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.

1789

enabled: false

1790

# -- Configures the minimum available pods for disruptions.

1791

# Cannot be used if `maxUnavailable` is set.

1792

minAvailable: 1

1793

# -- Configures the maximum unavailable pods for disruptions.

1794

# Cannot be used if `minAvailable` is set.

1795

maxUnavailable:

1796

# -- Unhealthy pod eviction policy to be used.

1797

# Possible values are `IfHealthyBudget` or `AlwaysAllow`.

1798

unhealthyPodEvictionPolicy:

1799

# -- Additional volumes to be mounted in the pod

1800

extraVolumes: []

1801

# - name: my-volume

1802

# emptyDir: {}

1803

1804

# -- Additional volumeMounts to be mounted to the main container

1805

extraVolumeMounts: []

1806

# - name: my-volume

1807

# mountPath: /path/to/mount

1808

1809

service:

1810

# -- Service port.

1811

port: 443

1812

# -- Service type.

1813

type: ClusterIP

1814

# -- Service node port.

1815

# Only used if `service.type` is `NodePort`.

1816

nodePort:

1817

# -- Service annotations.

1818

annotations: {}

1819

# -- (string) Service traffic distribution policy.

1820

# Set to `PreferClose` to route traffic to nearby endpoints, reducing latency and cross-zone costs.

1821

trafficDistribution: ~

1822

metricsService:

1823

# -- Create service.

1824

create: true

1825

# -- Service port.

1826

# Metrics server will be exposed at this port.

1827

port: 8000

1828

# -- Service type.

1829

type: ClusterIP

1830

# -- Service node port.

1831

# Only used if `metricsService.type` is `NodePort`.

1832

nodePort:

1833

# -- Service annotations.

1834

annotations: {}

1835

# -- (string) Service traffic distribution policy.

1836

# Set to `PreferClose` to route traffic to nearby endpoints, reducing latency and cross-zone costs.

1837

trafficDistribution: ~

1838

networkPolicy:

1839

# -- When true, use a NetworkPolicy to allow ingress to the webhook

1840

# This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.

1841

enabled: false

1842

# -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.

1843

ingressFrom: []

1844

serviceMonitor:

1845

# -- Create a `ServiceMonitor` to collect Prometheus metrics.

1846

enabled: false

1847

# -- Additional annotations

1848

additionalAnnotations: {}

1849

# -- Additional labels

1850

additionalLabels: {}

1851

# -- (string) Override namespace

1852

namespace: ~

1853

# -- Interval to scrape metrics

1854

interval: 30s

1855

# -- Timeout if metrics can't be retrieved in given time interval

1856

scrapeTimeout: 25s

1857

# -- Is TLS required for endpoint

1858

secure: false

1859

# -- TLS Configuration for endpoint

1860

tlsConfig: {}

1861

# -- RelabelConfigs to apply to samples before scraping

1862

relabelings: []

1863

# -- MetricRelabelConfigs to apply to samples before ingestion.

1864

metricRelabelings: []

1865

tracing:

1866

# -- Enable tracing

1867

enabled: false

1868

# -- Traces receiver address

1869

address:

1870

# -- Traces receiver port

1871

port:

1872

# -- Traces receiver credentials

1873

creds: ''

1874

metering:

1875

# -- Disable metrics export

1876

disabled: false

1877

# -- Otel configuration, can be `prometheus` or `grpc`

1878

config: prometheus

1879

# -- Prometheus endpoint port

1880

port: 8000

1881

# -- Is TLS required for endpoint

1882

secure: false

1883

# -- Key algorithm for self-signed TLS certificates.

1884

# Supported values: RSA, ECDSA, Ed25519

1885

tlsKeyAlgorithm: RSA

1886

# -- Otel collector endpoint

1887

collector: ''

1888

# -- Otel collector credentials

1889

creds: ''

1890

profiling:

1891

# -- Enable profiling

1892

enabled: false

1893

# -- Profiling endpoint port

1894

port: 6060

1895

# -- Service type.

1896

serviceType: ClusterIP

1897

# -- Service node port.

1898

# Only used if `type` is `NodePort`.

1899

nodePort:

1900

# Reports controller configuration

1901

reportsController:

1902

# -- Overrides features defined at the root level

1903

featuresOverride: {}

1904

# -- Enable reports controller.

1905

enabled: true

1906

rbac:

1907

# -- Create RBAC resources

1908

create: true

1909

# -- Create rolebinding to view role

1910

createViewRoleBinding: true

1911

# -- The view role to use in the rolebinding

1912

viewRoleName: view

1913

serviceAccount:

1914

# -- Service account name

1915

name:

1916

# -- Annotations for the ServiceAccount

1917

annotations: {}

1918

# example.com/annotation: value

1919

1920

# -- Toggle automounting of the ServiceAccount.

1921

# When set to false, a projected service account token is used instead

1922

# which provides time-limited and audience-bound tokens for improved security.

1923

automountServiceAccountToken: true

1924

# -- Projected service account token configuration (only used when automountServiceAccountToken is false)

1925

projectedServiceAccountToken:

1926

# -- Token expiration time in seconds.

1927

# The kubelet will request a new token before the token expires.

1928

expirationSeconds: 3600

1929

# -- Audience for the projected service account token.

1930

# If not set, the token will have no audience restriction.

1931

audience: ""

1932

coreClusterRole:

1933

# -- Extra resource permissions to add in the core cluster role.

1934

# This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`.

1935

# @default -- See [values.yaml](values.yaml)

1936

extraResources: []

1937

clusterRole:

1938

# -- Extra resource permissions to add in the cluster role

1939

extraResources: []

1940

# - apiGroups:

1941

# - ''

1942

# resources:

1943

# - pods

1944

image:

1945

# -- Image registry

1946

registry: cgr.dev

1947

defaultRegistry: reg.kyverno.io

1948

# -- Image repository

1949

repository: scratch-images/test-tmp/kyverno-reports-controller

1950

# -- (string) Image tag

1951

# Defaults to appVersion in Chart.yaml if omitted

1952

tag: 1.18.0-r1@sha256:3b426ba7a77c8b7b499fe20be95ee83ddf7dd2136e5ad253e34981d59a11f8ca

1953

# -- Image pull policy

1954

pullPolicy: IfNotPresent

1955

# -- Image pull secrets

1956

imagePullSecrets: []

1957

# - secretName

1958

1959

# -- (int) Desired number of pods

1960

replicas: ~

1961

# -- The number of revisions to keep

1962

revisionHistoryLimit: 10

1963

# -- Resync period for informers

1964

resyncPeriod: 15m

1965

# -- Additional labels to add to each pod

1966

podLabels: {}

1967

# example.com/label: foo

1968

1969

# -- Additional annotations to add to each pod

1970

podAnnotations: {}

1971

# example.com/annotation: foo

1972

1973

# -- Deployment labels.

1974

labels: {}

1975

# -- Deployment annotations.

1976

annotations: {}

1977

# -- Deployment update strategy.

1978

# Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy

1979

# @default -- See [values.yaml](values.yaml)

1980

updateStrategy:

1981

rollingUpdate:

1982

maxSurge: 1

1983

maxUnavailable: 40%

1984

type: RollingUpdate

1985

# -- Optional priority class

1986

priorityClassName: ''

1987

# -- Change `apiPriorityAndFairness` to `true` if you want to insulate the API calls made by Kyverno reports controller activities.

1988

# This will help ensure Kyverno reports stability in busy clusters.

1989

# Ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/

1990

apiPriorityAndFairness: false

1991

# -- Priority level configuration.

1992

# The block is directly forwarded into the priorityLevelConfiguration, so you can use whatever specification you want.

1993

# ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/#prioritylevelconfiguration

1994

# @default -- See [values.yaml](values.yaml)

1995

priorityLevelConfigurationSpec:

1996

type: Limited

1997

limited:

1998

nominalConcurrencyShares: 10

1999

limitResponse:

2000

queuing:

2001

queueLengthLimit: 50

2002

type: Queue

2003

# -- Change `hostNetwork` to `true` when you want the pod to share its host's network namespace.

2004

# Useful for situations like when you end up dealing with a custom CNI over Amazon EKS.

2005

# Update the `dnsPolicy` accordingly as well to suit the host network mode.

2006

hostNetwork: false

2007

# -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster.

2008

# In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`.

2009

# For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.

2010

dnsPolicy: ClusterFirst

2011

# -- `dnsConfig` allows to specify DNS configuration for the pod.

2012

# For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config.

2013

dnsConfig: {}

2014

# options:

2015

# - name: ndots

2016

# value: "2"

2017

2018

# -- Extra arguments passed to the container on the command line

2019

extraArgs: {}

2020

# -- Additional container environment variables.

2021

extraEnvVars: []

2022

# Example setting proxy

2023

# extraEnvVars:

2024

# - name: HTTPS_PROXY

2025

# value: 'https://proxy.example.com:3128'

2026

2027

resources:

2028

# -- Pod resource limits

2029

limits:

2030

memory: 128Mi

2031

# -- Pod resource requests

2032

requests:

2033

cpu: 100m

2034

memory: 64Mi

2035

# -- Node labels for pod assignment

2036

nodeSelector:

2037

kubernetes.io/os: linux

2038

# -- List of node taints to tolerate

2039

tolerations: []

2040

antiAffinity:

2041

# -- Pod antiAffinities toggle.

2042

# Enabled by default but can be disabled if you want to schedule pods to the same node.

2043

enabled: true

2044

# -- Pod anti affinity constraints.

2045

# @default -- See [values.yaml](values.yaml)

2046

podAntiAffinity:

2047

preferredDuringSchedulingIgnoredDuringExecution:

2048

- weight: 1

2049

podAffinityTerm:

2050

labelSelector:

2051

matchExpressions:

2052

- key: app.kubernetes.io/component

2053

operator: In

2054

values:

2055

- reports-controller

2056

topologyKey: kubernetes.io/hostname

2057

# -- Pod affinity constraints.

2058

podAffinity: {}

2059

# -- Node affinity constraints.

2060

nodeAffinity: {}

2061

# -- Topology spread constraints.

2062

topologySpreadConstraints: []

2063

# -- Security context for the pod

2064

podSecurityContext: {}

2065

# -- Security context for the containers

2066

securityContext:

2067

runAsUser: 65534

2068

runAsGroup: 65534

2069

runAsNonRoot: true

2070

privileged: false

2071

allowPrivilegeEscalation: false

2072

readOnlyRootFilesystem: true

2073

capabilities:

2074

drop:

2075

- ALL

2076

seccompProfile:

2077

type: RuntimeDefault

2078

podDisruptionBudget:

2079

# -- Enable PodDisruptionBudget.

2080

# Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.

2081

enabled: false

2082

# -- Configures the minimum available pods for disruptions.

2083

# Cannot be used if `maxUnavailable` is set.

2084

minAvailable: 1

2085

# -- Configures the maximum unavailable pods for disruptions.

2086

# Cannot be used if `minAvailable` is set.

2087

maxUnavailable:

2088

# -- Unhealthy pod eviction policy to be used.

2089

# Possible values are `IfHealthyBudget` or `AlwaysAllow`.

2090

unhealthyPodEvictionPolicy:

2091

# -- A writable volume to use for the TUF root initialization.

2092

tufRootMountPath: /.sigstore

2093

# -- Volume to be mounted in pods for TUF/cosign work.

2094

sigstoreVolume:

2095

emptyDir: {}

2096

caCertificates:

2097

# -- CA certificates to use with Kyverno deployments

2098

# This value is expected to be one large string of CA certificates

2099

data: ~

2100

# -- Volume to be mounted for CA certificates

2101

# Not used when `.Values.reportsController.caCertificates.data` is defined

2102

volume: {}

2103

# Example to use hostPath:

2104

# hostPath:

2105

# path: /etc/pki/tls/ca-certificates.crt

2106

# type: File

2107

# -- Additional volumes to be mounted in the pod

2108

extraVolumes: []

2109

# - name: my-volume

2110

# emptyDir: {}

2111

2112

# -- Additional volumeMounts to be mounted to the main container

2113

extraVolumeMounts: []

2114

# - name: my-volume

2115

# mountPath: /path/to/mount

2116

2117

metricsService:

2118

# -- Create service.

2119

create: true

2120

# -- Service port.

2121

# Metrics server will be exposed at this port.

2122

port: 8000

2123

# -- Service type.

2124

type: ClusterIP

2125

# -- (string) Service node port.

2126

# Only used if `type` is `NodePort`.

2127

nodePort: ~

2128

# -- Service annotations.

2129

annotations: {}

2130

# -- (string) Service traffic distribution policy.

2131

# Set to `PreferClose` to route traffic to nearby endpoints, reducing latency and cross-zone costs.

2132

trafficDistribution: ~

2133

networkPolicy:

2134

# -- When true, use a NetworkPolicy to allow ingress to the webhook

2135

# This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.

2136

enabled: false

2137

# -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.

2138

ingressFrom: []

2139

serviceMonitor:

2140

# -- Create a `ServiceMonitor` to collect Prometheus metrics.

2141

enabled: false

2142

# -- Additional annotations

2143

additionalAnnotations: {}

2144

# -- Additional labels

2145

additionalLabels: {}

2146

# -- (string) Override namespace

2147

namespace: ~

2148

# -- Interval to scrape metrics

2149

interval: 30s

2150

# -- Timeout if metrics can't be retrieved in given time interval

2151

scrapeTimeout: 25s

2152

# -- Is TLS required for endpoint

2153

secure: false

2154

# -- TLS Configuration for endpoint

2155

tlsConfig: {}

2156

# -- RelabelConfigs to apply to samples before scraping

2157

relabelings: []

2158

# -- MetricRelabelConfigs to apply to samples before ingestion.

2159

metricRelabelings: []

2160

tracing:

2161

# -- Enable tracing

2162

enabled: false

2163

# -- (string) Traces receiver address

2164

address: ~

2165

# -- (string) Traces receiver port

2166

port: ~

2167

# -- (string) Traces receiver credentials

2168

creds: ~

2169

metering:

2170

# -- Disable metrics export

2171

disabled: false

2172

# -- Otel configuration, can be `prometheus` or `grpc`

2173

config: prometheus

2174

# -- Prometheus endpoint port

2175

port: 8000

2176

# -- Is TLS required for endpoint

2177

secure: false

2178

# -- Key algorithm for self-signed TLS certificates.

2179

# Supported values: RSA, ECDSA, Ed25519

2180

tlsKeyAlgorithm: RSA

2181

# -- (string) Otel collector endpoint

2182

collector: ~

2183

# -- (string) Otel collector credentials

2184

creds: ~

2185

# -- reportsController server port

2186

# in case you are using hostNetwork: true, you might want to change the port the reportsController is listening to

2187

server:

2188

port: 9443

2189

profiling:

2190

# -- Enable profiling

2191

enabled: false

2192

# -- Profiling endpoint port

2193

port: 6060

2194

# -- Service type.

2195

serviceType: ClusterIP

2196

# -- Service node port.

2197

# Only used if `type` is `NodePort`.

2198

nodePort:

2199

# -- Enable sanity check for reports CRDs

2200

sanityChecks: true

2201

The trusted source for open source

Talk to an expert

Privacy

Terms

© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.

kyverno

The trusted source for open source

Product

Solutions

Customers

Resources

Company