DirectorySecurity AdvisoriesPricing
Sign in
Directory
kyverno logoHELM

kyverno

Helm chart
Last changed
Request a free trial

Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.

Overview
Chart versions
Default values
Chart metadata
Images

Tag:
1
global:
2
# -- Internal settings used with `helm template` to generate install manifest
3
# @ignored
4
templating:
5
enabled: false
6
debug: false
7
version: ~
8
image:
9
# -- (string) Global value that allows to set a single image registry across all deployments.
10
# When set, it will override any values set under `.image.registry` across the chart.
11
registry: ~
12
# -- (list) Global list of Image pull secrets
13
# When set, it will override any values set under `imagePullSecrets` under different components across the chart.
14
imagePullSecrets: []
15
# -- Resync period for informers
16
resyncPeriod: 15m
17
# -- Enable/Disable custom resource watcher to invalidate cache
18
crdWatcher: false
19
caCertificates:
20
# -- Global CA certificates to use with Kyverno deployments
21
# This value is expected to be one large string of CA certificates
22
# Individual controller values will override this global value
23
data: ~
24
# -- Global value to set single volume to be mounted for CA certificates for all deployments.
25
# Not used when `.Values.global.caCertificates.data` is defined
26
# Individual controller values will override this global value
27
volume: {}
28
# Example to use hostPath:
29
# hostPath:
30
# path: /etc/pki/tls/ca-certificates.crt
31
# type: File
32
# -- Additional container environment variables to apply to all containers and init containers
33
extraEnvVars: []
34
# Example setting proxy
35
# extraEnvVars:
36
# - name: HTTPS_PROXY
37
# value: 'https://proxy.example.com:3128'
38
39
# -- Global node labels for pod assignment. Non-global values will override the global value.
40
nodeSelector: {}
41
# -- Global List of node taints to tolerate. Non-global values will override the global value.
42
tolerations: []
43
# -- (string) Override the name of the chart
44
nameOverride: ~
45
# -- (string) Override the expanded name of the chart
46
fullnameOverride: ~
47
# -- (string) Override the namespace the chart deploys to
48
namespaceOverride: ~
49
upgrade:
50
# -- Upgrading from v2 to v3 is not allowed by default, set this to true once changes have been reviewed.
51
fromV2: false
52
apiVersionOverride:
53
# -- (string) Override api version used to create `PodDisruptionBudget`` resources.
54
# When not specified the chart will check if `policy/v1/PodDisruptionBudget` is available to
55
# determine the api version automatically.
56
podDisruptionBudget: ~
57
rbac:
58
roles:
59
# -- Aggregate ClusterRoles to Kubernetes default user-facing roles. For more information, see [User-facing roles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles)
60
aggregate:
61
admin: true
62
view: true
63
# Use openreports.io as the API group for reporting
64
openreports:
65
# -- Enable OpenReports feature in controllers
66
enabled: false
67
# -- Whether to install CRDs from the upstream OpenReports chart. Setting this to true requires enabled to also be true.
68
installCrds: false
69
# CRDs configuration
70
crds:
71
# -- Whether to have Helm install the Kyverno CRDs, if the CRDs are not installed by Helm, they must be added before policies can be created
72
install: true
73
reportsServer:
74
# -- Kyverno reports-server is used in your cluster
75
enabled: false
76
groups:
77
# -- Install CRDs in group `kyverno.io`
78
kyverno:
79
cleanuppolicies: true
80
clustercleanuppolicies: true
81
clusterpolicies: true
82
globalcontextentries: true
83
policies: true
84
policyexceptions: true
85
updaterequests: true
86
# -- Install CRDs in group `policies.kyverno.io`
87
policies:
88
validatingpolicies: true
89
policyexceptions: true
90
imagevalidatingpolicies: true
91
namespacedimagevalidatingpolicies: true
92
mutatingpolicies: true
93
generatingpolicies: true
94
deletingpolicies: true
95
namespaceddeletingpolicies: true
96
namespacedvalidatingpolicies: true
97
# -- Install CRDs in group `reports.kyverno.io`
98
reports:
99
clusterephemeralreports: true
100
ephemeralreports: true
101
# -- Install CRDs in group `wgpolicyk8s.io`
102
wgpolicyk8s:
103
clusterpolicyreports: true
104
policyreports: true
105
# -- Additional CRDs annotations
106
annotations: {}
107
# argocd.argoproj.io/sync-options: Replace=true
108
# strategy.spinnaker.io/replace: 'true'
109
110
# -- Additional CRDs labels
111
customLabels: {}
112
migration:
113
# -- Enable CRDs migration using helm post upgrade hook
114
enabled: true
115
# -- Resources to migrate
116
resources:
117
- cleanuppolicies.kyverno.io
118
- clustercleanuppolicies.kyverno.io
119
- clusterpolicies.kyverno.io
120
- globalcontextentries.kyverno.io
121
- policies.kyverno.io
122
- policyexceptions.kyverno.io
123
- updaterequests.kyverno.io
124
- deletingpolicies.policies.kyverno.io
125
- generatingpolicies.policies.kyverno.io
126
- imagevalidatingpolicies.policies.kyverno.io
127
- namespacedimagevalidatingpolicies.policies.kyverno.io
128
- mutatingpolicies.policies.kyverno.io
129
- namespaceddeletingpolicies.policies.kyverno.io
130
- namespacedvalidatingpolicies.policies.kyverno.io
131
- policyexceptions.policies.kyverno.io
132
- validatingpolicies.policies.kyverno.io
133
image:
134
# -- (string) Image registry
135
registry: cgr.dev
136
defaultRegistry: reg.kyverno.io
137
# -- (string) Image repository
138
repository: scratch-images/test-tmp/kyverno-cli
139
# -- (string) Image tag
140
# Defaults to appVersion in Chart.yaml if omitted
141
tag: 1.16.4-r7@sha256:82f5b07294632b023b34df4389a9ca3e765da95f470a25f21dbc25d6b71d666d
142
# -- (string) Image pull policy
143
pullPolicy: IfNotPresent
144
# -- Image pull secrets
145
imagePullSecrets: []
146
# - name: secretName
147
148
# -- Security context for the pod
149
podSecurityContext: {}
150
# -- Node labels for pod assignment
151
nodeSelector: {}
152
# -- List of node taints to tolerate
153
tolerations: []
154
# -- Pod anti affinity constraints.
155
podAntiAffinity: {}
156
# -- Pod affinity constraints.
157
podAffinity: {}
158
# -- Pod labels.
159
podLabels: {}
160
# -- Pod annotations.
161
podAnnotations: {}
162
# -- Node affinity constraints.
163
nodeAffinity: {}
164
# -- Security context for the hook containers
165
securityContext:
166
runAsUser: 65534
167
runAsGroup: 65534
168
runAsNonRoot: true
169
privileged: false
170
allowPrivilegeEscalation: false
171
readOnlyRootFilesystem: true
172
capabilities:
173
drop:
174
- ALL
175
seccompProfile:
176
type: RuntimeDefault
177
podResources:
178
# -- Pod resource limits
179
limits:
180
cpu: 100m
181
memory: 256Mi
182
# -- Pod resource requests
183
requests:
184
cpu: 10m
185
memory: 64Mi
186
serviceAccount:
187
# -- Toggle automounting of the ServiceAccount
188
automountServiceAccountToken: true
189
# -- Scoped token injected into outbound APICall and CEL HTTP requests.
190
# This token carries a custom audience so that if leaked to an external service
191
# it cannot be replayed against the Kubernetes API server.
192
apiCallToken:
193
# -- Audience for the projected token used in outbound requests.
194
# Set this to the audience your receiving service validates in the OIDC token's
195
# `aud` claim. The default is `kyverno-svc.kyverno.io`, which is a Kyverno-specific
196
# audience and prevents the token from being accepted by the Kubernetes API server.
197
audience: "kyverno-svc.kyverno.io"
198
# -- Token lifetime in seconds for the projected outbound API call token.
199
# The default is `3600` (1 hour). The kubelet requests a replacement before the
200
# token expires, so lowering this reduces token lifetime while increasing rotation
201
# frequency.
202
expirationSeconds: 3600
203
# Configuration
204
config:
205
# -- Create the configmap.
206
create: true
207
# -- Preserve the configmap settings during upgrade.
208
preserve: true
209
# -- (string) The configmap name (required if `create` is `false`).
210
name: ~
211
# -- Additional annotations to add to the configmap.
212
annotations: {}
213
# -- Enable registry mutation for container images. Enabled by default.
214
enableDefaultRegistryMutation: true
215
# -- The registry hostname used for the image mutation.
216
defaultRegistry: docker.io
217
# -- Exclude groups
218
excludeGroups:
219
- system:nodes
220
# -- Exclude usernames
221
excludeUsernames: []
222
# - '!system:kube-scheduler'
223
224
# -- Exclude roles
225
excludeRoles: []
226
# -- Exclude roles
227
excludeClusterRoles: []
228
# -- Generate success events.
229
generateSuccessEvents: false
230
# -- Maximum cumulative size of context data during policy evaluation.
231
# Supports Kubernetes quantity format (e.g., 100Mi, 2Gi) or plain bytes (e.g., 2097152).
232
# Limits memory used by context variables to prevent unbounded growth.
233
# Increase if policies legitimately need large context data (e.g., processing large ConfigMaps).
234
# Set to 0 to disable the limit (not recommended for production).
235
# @default -- 2Mi
236
maxContextSize: ~
237
# -- Resource types to be skipped by the Kyverno policy engine.
238
# Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list.
239
# These are joined together without spaces, run through `tpl`, and the result is set in the config map.
240
# @default -- See [values.yaml](values.yaml)
241
resourceFilters:
242
- '[Event,*,*]'
243
- '[*/*,kube-system,*]'
244
- '[*/*,kube-public,*]'
245
- '[*/*,kube-node-lease,*]'
246
- '[Node,*,*]'
247
- '[Node/?*,*,*]'
248
- '[APIService,*,*]'
249
- '[APIService/?*,*,*]'
250
- '[TokenReview,*,*]'
251
- '[SubjectAccessReview,*,*]'
252
- '[SelfSubjectAccessReview,*,*]'
253
- '[Binding,*,*]'
254
- '[Pod/binding,*,*]'
255
- '[ReplicaSet,*,*]'
256
- '[ReplicaSet/?*,*,*]'
257
- '[EphemeralReport,*,*]'
258
- '[ClusterEphemeralReport,*,*]'
259
# exclude resources from the chart
260
- '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}]'
261
- '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}:core]'
262
- '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}:additional]'
263
- '[ClusterRole,*,{{ template "kyverno.background-controller.roleName" . }}]'
264
- '[ClusterRole,*,{{ template "kyverno.background-controller.roleName" . }}:core]'
265
- '[ClusterRole,*,{{ template "kyverno.background-controller.roleName" . }}:additional]'
266
- '[ClusterRole,*,{{ template "kyverno.cleanup-controller.roleName" . }}]'
267
- '[ClusterRole,*,{{ template "kyverno.cleanup-controller.roleName" . }}:core]'
268
- '[ClusterRole,*,{{ template "kyverno.cleanup-controller.roleName" . }}:additional]'
269
- '[ClusterRole,*,{{ template "kyverno.reports-controller.roleName" . }}]'
270
- '[ClusterRole,*,{{ template "kyverno.reports-controller.roleName" . }}:core]'
271
- '[ClusterRole,*,{{ template "kyverno.reports-controller.roleName" . }}:additional]'
272
- '[ClusterRoleBinding,*,{{ template "kyverno.admission-controller.roleName" . }}]'
273
- '[ClusterRoleBinding,*,{{ template "kyverno.background-controller.roleName" . }}]'
274
- '[ClusterRoleBinding,*,{{ template "kyverno.cleanup-controller.roleName" . }}]'
275
- '[ClusterRoleBinding,*,{{ template "kyverno.reports-controller.roleName" . }}]'
276
- '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceAccountName" . }}]'
277
- '[ServiceAccount/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceAccountName" . }}]'
278
- '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.serviceAccountName" . }}]'
279
- '[ServiceAccount/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.serviceAccountName" . }}]'
280
- '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.serviceAccountName" . }}]'
281
- '[ServiceAccount/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.serviceAccountName" . }}]'
282
- '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.serviceAccountName" . }}]'
283
- '[ServiceAccount/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.serviceAccountName" . }}]'
284
- '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.roleName" . }}]'
285
- '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.roleName" . }}]'
286
- '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.roleName" . }}]'
287
- '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.roleName" . }}]'
288
- '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.roleName" . }}]'
289
- '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.roleName" . }}]'
290
- '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.roleName" . }}]'
291
- '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.roleName" . }}]'
292
- '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.config.configMapName" . }}]'
293
- '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.config.metricsConfigMapName" . }}]'
294
- '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
295
- '[Deployment/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
296
- '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
297
- '[Deployment/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
298
- '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
299
- '[Deployment/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
300
- '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
301
- '[Deployment/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
302
- '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}-*]'
303
- '[Pod/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}-*]'
304
- '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-*]'
305
- '[Pod/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-*]'
306
- '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-*]'
307
- '[Pod/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-*]'
308
- '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-*]'
309
- '[Pod/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-*]'
310
- '[Job,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-hook-pre-delete]'
311
- '[Job/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-hook-pre-delete]'
312
- '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
313
- '[NetworkPolicy/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
314
- '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
315
- '[NetworkPolicy/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
316
- '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
317
- '[NetworkPolicy/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
318
- '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
319
- '[NetworkPolicy/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
320
- '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
321
- '[PodDisruptionBudget/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
322
- '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
323
- '[PodDisruptionBudget/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
324
- '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
325
- '[PodDisruptionBudget/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
326
- '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
327
- '[PodDisruptionBudget/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
328
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}]'
329
- '[Service/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}]'
330
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}-metrics]'
331
- '[Service/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}-metrics]'
332
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-metrics]'
333
- '[Service/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-metrics]'
334
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
335
- '[Service/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
336
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-metrics]'
337
- '[Service/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-metrics]'
338
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-metrics]'
339
- '[Service/?*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-metrics]'
340
- '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.admission-controller.name" . }}]'
341
- '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.background-controller.name" . }}]'
342
- '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.cleanup-controller.name" . }}]'
343
- '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.reports-controller.name" . }}]'
344
- '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.*]'
345
- '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.*]'
346
# -- Sets the threshold for the total number of UpdateRequests generated for mutateExisitng and generate policies.
347
updateRequestThreshold: 1000
348
# -- Defines the `namespaceSelector`/`objectSelector` in the webhook configurations.
349
# The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default)
350
webhooks:
351
# Exclude namespaces
352
namespaceSelector:
353
matchExpressions:
354
- key: kubernetes.io/metadata.name
355
operator: NotIn
356
values:
357
- kube-system
358
# Exclude objects
359
# objectSelector:
360
# matchExpressions:
361
# - key: webhooks.kyverno.io/exclude
362
# operator: DoesNotExist
363
# -- Defines annotations to set on webhook configurations.
364
webhookAnnotations:
365
# Example to disable admission enforcer on AKS:
366
'admissions.enforcer/disabled': 'true'
367
# -- Defines labels to set on webhook configurations.
368
webhookLabels: {}
369
# Example to adopt webhook resources in ArgoCD:
370
# 'argocd.argoproj.io/instance': 'kyverno'
371
372
# -- Defines match conditions to set on webhook configurations (requires Kubernetes 1.27+).
373
matchConditions: []
374
# -- Exclude Kyverno namespace
375
# Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters
376
excludeKyvernoNamespace: true
377
# -- resourceFilter namespace exclude
378
# Namespaces to exclude from the default resourceFilters
379
resourceFiltersExcludeNamespaces: []
380
# -- resourceFilters exclude list
381
# Items to exclude from config.resourceFilters
382
resourceFiltersExclude: []
383
# -- resourceFilter namespace include
384
# Namespaces to include to the default resourceFilters
385
resourceFiltersIncludeNamespaces: []
386
# -- resourceFilters include list
387
# Items to include to config.resourceFilters
388
resourceFiltersInclude: []
389
# Metrics configuration
390
metricsConfig:
391
# -- Create the configmap.
392
create: true
393
# -- (string) The configmap name (required if `create` is `false`).
394
name: ~
395
# -- Additional annotations to add to the configmap.
396
annotations: {}
397
namespaces:
398
# -- List of namespaces to capture metrics for.
399
include: []
400
# -- list of namespaces to NOT capture metrics for.
401
exclude: []
402
# -- (string) Rate at which metrics should reset so as to clean up the memory footprint of kyverno metrics, if you might be expecting high memory footprint of Kyverno's metrics. Default: 0, no refresh of metrics. WARNING: This flag is not working since Kyverno 1.8.0
403
metricsRefreshInterval: ~
404
# metricsRefreshInterval: 24h
405
406
# -- (list) Configures the bucket boundaries for all Histogram metrics, changing this configuration requires restart of the kyverno admission controller
407
bucketBoundaries: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10, 15, 20, 25, 30]
408
# -- (map) Configures the exposure of individual metrics, by default all metrics and all labels are exported, changing this configuration requires restart of the kyverno admission controller
409
metricsExposure:
410
kyverno_policy_execution_duration_seconds:
411
# bucketBoundaries: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5]
412
disabledLabelDimensions: ["resource_namespace", "resource_request_operation"]
413
kyverno_validating_policy_execution_duration_seconds:
414
# bucketBoundaries: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5]
415
disabledLabelDimensions: ["resource_namespace", "resource_request_operation"]
416
kyverno_image_validating_policy_execution_duration_seconds:
417
# bucketBoundaries: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5]
418
disabledLabelDimensions: ["resource_namespace", "resource_request_operation"]
419
kyverno_mutating_policy_execution_duration_seconds:
420
# bucketBoundaries: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5]
421
disabledLabelDimensions: ["resource_namespace", "resource_request_operation"]
422
kyverno_generating_policy_execution_duration_seconds:
423
# bucketBoundaries: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5]
424
disabledLabelDimensions: ["resource_namespace", "resource_request_operation"]
425
kyverno_admission_review_duration_seconds:
426
# enabled: false
427
disabledLabelDimensions: ["resource_namespace"]
428
kyverno_policy_rule_info_total:
429
disabledLabelDimensions: ["resource_namespace", "policy_namespace"]
430
kyverno_policy_results_total:
431
disabledLabelDimensions: ["resource_namespace", "policy_namespace"]
432
kyverno_admission_requests_total:
433
disabledLabelDimensions: ["resource_namespace"]
434
kyverno_cleanup_controller_deletedobjects_total:
435
disabledLabelDimensions: ["resource_namespace", "policy_namespace"]
436
# -- Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument
437
imagePullSecrets: {}
438
# regcred:
439
# registry: foo.example.com
440
# username: foobar
441
# password: secret
442
# regcred2:
443
# registry: bar.example.com
444
# username: barbaz
445
# password: secret2
446
447
# -- Existing Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument
448
existingImagePullSecrets: []
449
# - test-registry
450
# - other-test-registry
451
452
# Tests configuration
453
test:
454
# -- Sleep time before running test
455
sleep: 20
456
image:
457
# -- (string) Image registry
458
registry: cgr.dev
459
# -- Image repository
460
repository: scratch-images/test-tmp/busybox
461
# -- Image tag
462
# Defaults to `latest` if omitted
463
tag: glibc-1.37.0-r61@sha256:76d4512ede610c204e75993b66d1cf4be821f1fbe533ba0f878ce167b964f824
464
# -- (string) Image pull policy
465
# Defaults to image.pullPolicy if omitted
466
pullPolicy: ~
467
# -- Image pull secrets
468
imagePullSecrets: []
469
# - name: secretName
470
471
resources:
472
# -- Pod resource limits
473
limits:
474
cpu: 100m
475
memory: 256Mi
476
# -- Pod resource requests
477
requests:
478
cpu: 10m
479
memory: 64Mi
480
# -- Security context for the test containers
481
securityContext:
482
runAsUser: 65534
483
runAsGroup: 65534
484
runAsNonRoot: true
485
privileged: false
486
allowPrivilegeEscalation: false
487
readOnlyRootFilesystem: true
488
capabilities:
489
drop:
490
- ALL
491
seccompProfile:
492
type: RuntimeDefault
493
# -- Toggle automounting of the ServiceAccount
494
automountServiceAccountToken: true
495
# -- Node labels for pod assignment
496
nodeSelector: {}
497
# -- Additional Pod annotations
498
podAnnotations: {}
499
# -- List of node taints to tolerate
500
tolerations: []
501
# -- Additional labels
502
customLabels: {}
503
webhooksCleanup:
504
# -- Create a helm pre-delete hook to cleanup webhooks.
505
enabled: true
506
autoDeleteWebhooks:
507
# -- Allow webhooks controller to delete webhooks using finalizers
508
enabled: false
509
image:
510
# -- (string) Image registry
511
registry: cgr.dev
512
# -- Image repository
513
repository: scratch-images/test-tmp/kubectl
514
# -- Image tag
515
# Defaults to `latest` if omitted
516
tag: 1.36.2-r0@sha256:5d307a89d701558a1c278308ceaebb0594a9f8ba0f239fd3ec92bff55dc04c5d
517
# -- (string) Image pull policy
518
# Defaults to image.pullPolicy if omitted
519
pullPolicy: ~
520
# -- Image pull secrets
521
imagePullSecrets: []
522
# -- Security context for the pod
523
podSecurityContext: {}
524
# -- Node labels for pod assignment
525
nodeSelector: {}
526
# -- List of node taints to tolerate
527
tolerations: []
528
# -- Pod anti affinity constraints.
529
podAntiAffinity: {}
530
# -- Pod affinity constraints.
531
podAffinity: {}
532
# -- Pod labels.
533
podLabels: {}
534
# -- Pod annotations.
535
podAnnotations: {}
536
# -- Node affinity constraints.
537
nodeAffinity: {}
538
# -- Security context for the hook containers
539
securityContext:
540
runAsUser: 65534
541
runAsGroup: 65534
542
runAsNonRoot: true
543
privileged: false
544
allowPrivilegeEscalation: false
545
readOnlyRootFilesystem: true
546
capabilities:
547
drop:
548
- ALL
549
seccompProfile:
550
type: RuntimeDefault
551
resources:
552
# -- Pod resource limits
553
limits:
554
cpu: 100m
555
memory: 256Mi
556
# -- Pod resource requests
557
requests:
558
cpu: 10m
559
memory: 64Mi
560
serviceAccount:
561
# -- Toggle automounting of the ServiceAccount
562
automountServiceAccountToken: true
563
grafana:
564
# -- Enable grafana dashboard creation.
565
enabled: false
566
# -- Configmap name template.
567
configMapName: '{{ include "kyverno.fullname" . }}-grafana'
568
# -- (string) Namespace to create the grafana dashboard configmap.
569
# If not set, it will be created in the same namespace where the chart is deployed.
570
namespace: ~
571
# -- Grafana dashboard configmap annotations.
572
annotations: {}
573
# -- Grafana dashboard configmap labels
574
labels:
575
grafana_dashboard: "1"
576
# -- create GrafanaDashboard custom resource referencing to the configMap.
577
# according to https://grafana-operator.github.io/grafana-operator/docs/examples/dashboard_from_configmap/readme/
578
grafanaDashboard:
579
create: false
580
folder: kyverno
581
allowCrossNamespaceImport: true
582
matchLabels:
583
dashboards: "grafana"
584
# Features configuration
585
features:
586
admissionReports:
587
# -- Enables the feature
588
enabled: true
589
aggregateReports:
590
# -- Enables the feature
591
enabled: true
592
policyReports:
593
# -- Enables the feature
594
enabled: true
595
validatingAdmissionPolicyReports:
596
# -- Enables the feature
597
enabled: true
598
mutatingAdmissionPolicyReports:
599
# -- Enables the feature
600
enabled: false
601
reporting:
602
# -- Enables the feature
603
validate: true
604
# -- Enables the feature
605
mutate: true
606
# -- Enables the feature
607
mutateExisting: true
608
# -- Enables the feature
609
imageVerify: true
610
# -- Enables the feature
611
generate: true
612
autoUpdateWebhooks:
613
# -- Enables the feature
614
enabled: true
615
backgroundScan:
616
# -- Enables the feature
617
enabled: true
618
# -- Number of background scan workers
619
backgroundScanWorkers: 2
620
# -- Background scan interval
621
backgroundScanInterval: 1h
622
# -- Skips resource filters in background scan
623
skipResourceFilters: true
624
configMapCaching:
625
# -- Enables the feature
626
enabled: true
627
controllerRuntimeMetrics:
628
# -- Bind address for controller-runtime metrics (use "0" to disable it)
629
bindAddress: ":8080"
630
deferredLoading:
631
# -- Enables the feature
632
enabled: true
633
dumpPayload:
634
# -- Enables the feature
635
enabled: false
636
forceFailurePolicyIgnore:
637
# -- Enables the feature
638
enabled: false
639
generateValidatingAdmissionPolicy:
640
# -- Enables the feature
641
enabled: true
642
generateMutatingAdmissionPolicy:
643
# -- Enables the feature
644
enabled: false
645
dumpPatches:
646
# -- Enables the feature
647
enabled: false
648
globalContext:
649
# -- Maximum allowed response size from API Calls. A value of 0 bypasses checks (not recommended)
650
maxApiCallResponseLength: 2000000
651
logging:
652
# -- Logging format
653
format: text
654
# -- Logging verbosity
655
verbosity: 2
656
omitEvents:
657
# -- Events which should not be emitted (possible values `PolicyViolation`, `PolicyApplied`, `PolicyError`, and `PolicySkipped`)
658
eventTypes:
659
- PolicyApplied
660
- PolicySkipped
661
# - PolicyViolation
662
# - PolicyError
663
policyExceptions:
664
# -- Enables the feature
665
enabled: false
666
# -- Restrict policy exceptions to a single namespace
667
# Set to "*" to allow exceptions in all namespaces
668
namespace: ''
669
protectManagedResources:
670
# -- Enables the feature
671
enabled: false
672
registryClient:
673
# -- Allow insecure registry
674
allowInsecure: false
675
# -- Enable registry client helpers
676
credentialHelpers:
677
- default
678
- google
679
- amazon
680
- azure
681
- github
682
ttlController:
683
# -- Reconciliation interval for the label based cleanup manager
684
reconciliationInterval: 1m
685
tuf:
686
# -- Enables the feature
687
enabled: false
688
# -- (string) Path to Tuf root
689
root: ~
690
# -- (string) Raw Tuf root
691
rootRaw: ~
692
# -- (string) Tuf mirror
693
mirror: ~
694
# Admission controller configuration
695
admissionController:
696
autoscaling:
697
# -- Enable horizontal pod autoscaling
698
enabled: false
699
# -- Minimum number of pods
700
minReplicas: 1
701
# -- Maximum number of pods
702
maxReplicas: 10
703
# -- Target CPU utilization percentage
704
targetCPUUtilizationPercentage: 80
705
# -- Configurable scaling behavior
706
behavior: {}
707
# -- Overrides features defined at the root level
708
featuresOverride:
709
admissionReports:
710
# -- Max number of admission reports allowed in flight until the admission controller stops creating new ones
711
backPressureThreshold: 1000
712
rbac:
713
# -- Create RBAC resources
714
create: true
715
# -- Create rolebinding to view role
716
createViewRoleBinding: true
717
# -- The view role to use in the rolebinding
718
viewRoleName: view
719
serviceAccount:
720
# -- The ServiceAccount name
721
name:
722
# -- Annotations for the ServiceAccount
723
annotations: {}
724
# example.com/annotation: value
725
726
# -- Toggle automounting of the ServiceAccount
727
automountServiceAccountToken: true
728
coreClusterRole:
729
# -- Extra resource permissions to add in the core cluster role.
730
# This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`.
731
# @default -- See [values.yaml](values.yaml)
732
extraResources: []
733
clusterRole:
734
# -- Extra resource permissions to add in the cluster role
735
extraResources: []
736
# - apiGroups:
737
# - ''
738
# resources:
739
# - pods
740
# verbs:
741
# - create
742
# - update
743
# - delete
744
# -- Create self-signed certificates at deployment time.
745
# The certificates won't be automatically renewed if this is set to `true`.
746
createSelfSignedCert: false
747
# -- (int) Desired number of pods
748
replicas: ~
749
# -- The number of revisions to keep
750
revisionHistoryLimit: 10
751
# -- Resync period for informers
752
resyncPeriod: 15m
753
# -- Enable/Disable custom resource watcher to invalidate cache
754
crdWatcher: false
755
# -- Additional labels to add to each pod
756
podLabels: {}
757
# example.com/label: foo
758
759
# -- Additional annotations to add to each pod
760
podAnnotations: {}
761
# example.com/annotation: foo
762
763
# -- Deployment annotations.
764
annotations: {}
765
# -- Deployment update strategy.
766
# Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
767
# @default -- See [values.yaml](values.yaml)
768
updateStrategy:
769
rollingUpdate:
770
maxSurge: 1
771
maxUnavailable: 40%
772
type: RollingUpdate
773
# -- Optional priority class
774
priorityClassName: ''
775
# -- Change `apiPriorityAndFairness` to `true` if you want to insulate the API calls made by Kyverno admission controller activities.
776
# This will help ensure Kyverno stability in busy clusters.
777
# Ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/
778
apiPriorityAndFairness: false
779
# -- Priority level configuration.
780
# The block is directly forwarded into the priorityLevelConfiguration, so you can use whatever specification you want.
781
# ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/#prioritylevelconfiguration
782
# @default -- See [values.yaml](values.yaml)
783
priorityLevelConfigurationSpec:
784
type: Limited
785
limited:
786
nominalConcurrencyShares: 10
787
limitResponse:
788
queuing:
789
queueLengthLimit: 50
790
type: Queue
791
# -- Change `hostNetwork` to `true` when you want the pod to share its host's network namespace.
792
# Useful for situations like when you end up dealing with a custom CNI over Amazon EKS.
793
# Update the `dnsPolicy` accordingly as well to suit the host network mode.
794
hostNetwork: false
795
# -- admissionController webhook server port
796
# in case you are using hostNetwork: true, you might want to change the port the webhookServer is listening to
797
webhookServer:
798
port: 9443
799
# -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster.
800
# In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`.
801
# For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
802
dnsPolicy: ClusterFirst
803
# -- `dnsConfig` allows to specify DNS configuration for the pod.
804
# For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config.
805
dnsConfig: {}
806
# options:
807
# - name: ndots
808
# value: "2"
809
810
# -- Startup probe.
811
# The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want.
812
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
813
# @default -- See [values.yaml](values.yaml)
814
startupProbe:
815
httpGet:
816
path: /health/liveness
817
port: 9443
818
scheme: HTTPS
819
failureThreshold: 20
820
initialDelaySeconds: 2
821
periodSeconds: 6
822
# -- Liveness probe.
823
# The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want.
824
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
825
# @default -- See [values.yaml](values.yaml)
826
livenessProbe:
827
httpGet:
828
path: /health/liveness
829
port: 9443
830
scheme: HTTPS
831
initialDelaySeconds: 15
832
periodSeconds: 30
833
timeoutSeconds: 5
834
failureThreshold: 2
835
successThreshold: 1
836
# -- Readiness Probe.
837
# The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want.
838
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
839
# @default -- See [values.yaml](values.yaml)
840
readinessProbe:
841
httpGet:
842
path: /health/readiness
843
port: 9443
844
scheme: HTTPS
845
initialDelaySeconds: 5
846
periodSeconds: 10
847
timeoutSeconds: 5
848
failureThreshold: 6
849
successThreshold: 1
850
# -- Node labels for pod assignment
851
nodeSelector: {}
852
# -- List of node taints to tolerate
853
tolerations: []
854
antiAffinity:
855
# -- Pod antiAffinities toggle.
856
# Enabled by default but can be disabled if you want to schedule pods to the same node.
857
enabled: true
858
# -- Pod anti affinity constraints.
859
# @default -- See [values.yaml](values.yaml)
860
podAntiAffinity:
861
preferredDuringSchedulingIgnoredDuringExecution:
862
- weight: 1
863
podAffinityTerm:
864
labelSelector:
865
matchExpressions:
866
- key: app.kubernetes.io/component
867
operator: In
868
values:
869
- admission-controller
870
topologyKey: kubernetes.io/hostname
871
# -- Pod affinity constraints.
872
podAffinity: {}
873
# -- Node affinity constraints.
874
nodeAffinity: {}
875
# -- Topology spread constraints.
876
topologySpreadConstraints: []
877
# -- Security context for the pod
878
podSecurityContext: {}
879
podDisruptionBudget:
880
# -- Enable PodDisruptionBudget.
881
# Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.
882
enabled: false
883
# -- Configures the minimum available pods for disruptions.
884
# Cannot be used if `maxUnavailable` is set.
885
minAvailable: 1
886
# -- Configures the maximum unavailable pods for disruptions.
887
# Cannot be used if `minAvailable` is set.
888
maxUnavailable:
889
# -- Unhealthy pod eviction policy to be used.
890
# Possible values are `IfHealthyBudget` or `AlwaysAllow`.
891
unhealthyPodEvictionPolicy:
892
# -- A writable volume to use for the TUF root initialization.
893
tufRootMountPath: /.sigstore
894
# -- Volume to be mounted in pods for TUF/cosign work.
895
sigstoreVolume:
896
emptyDir: {}
897
caCertificates:
898
# -- CA certificates to use with Kyverno deployments
899
# This value is expected to be one large string of CA certificates
900
data: ~
901
# -- Volume to be mounted for CA certificates
902
# Not used when `.Values.admissionController.caCertificates.data` is defined
903
volume: {}
904
# Example to use hostPath:
905
# hostPath:
906
# path: /etc/pki/tls/ca-certificates.crt
907
# type: File
908
# -- Image pull secrets
909
imagePullSecrets: []
910
# - secretName
911
912
initContainer:
913
image:
914
# -- Image registry
915
registry: cgr.dev
916
defaultRegistry: reg.kyverno.io
917
# -- Image repository
918
repository: scratch-images/test-tmp/kyvernopre
919
# -- (string) Image tag
920
# If missing, defaults to image.tag
921
tag: 1.16.4-r7@sha256:7e19f092d2d8f4fae5a613f86407fe5728ee4b1fb572bcd8e6d095f5d8aac18a
922
# -- (string) Image pull policy
923
# If missing, defaults to image.pullPolicy
924
pullPolicy: ~
925
resources:
926
# -- Pod resource limits
927
limits:
928
cpu: 100m
929
memory: 256Mi
930
# -- Pod resource requests
931
requests:
932
cpu: 10m
933
memory: 64Mi
934
# -- Container security context
935
securityContext:
936
runAsNonRoot: true
937
privileged: false
938
allowPrivilegeEscalation: false
939
readOnlyRootFilesystem: true
940
capabilities:
941
drop:
942
- ALL
943
seccompProfile:
944
type: RuntimeDefault
945
# -- Additional container args.
946
extraArgs: {}
947
# -- Additional container environment variables.
948
extraEnvVars: []
949
# Example setting proxy
950
# extraEnvVars:
951
# - name: HTTPS_PROXY
952
# value: 'https://proxy.example.com:3128'
953
container:
954
image:
955
# -- Image registry
956
registry: cgr.dev
957
defaultRegistry: reg.kyverno.io
958
# -- Image repository
959
repository: scratch-images/test-tmp/kyverno
960
# -- (string) Image tag
961
# Defaults to appVersion in Chart.yaml if omitted
962
tag: 1.16.4-r7@sha256:db9eebe0601bf2ed3c87c8e8ac0411a4678f7968206496100c7358a2c6e31496
963
# -- Image pull policy
964
pullPolicy: IfNotPresent
965
resources:
966
# -- Pod resource limits
967
limits:
968
memory: 384Mi
969
# -- Pod resource requests
970
requests:
971
cpu: 100m
972
memory: 128Mi
973
# -- Container security context
974
securityContext:
975
runAsNonRoot: true
976
privileged: false
977
allowPrivilegeEscalation: false
978
readOnlyRootFilesystem: true
979
capabilities:
980
drop:
981
- ALL
982
seccompProfile:
983
type: RuntimeDefault
984
# -- Additional container args.
985
extraArgs: {}
986
# -- Additional container environment variables.
987
extraEnvVars: []
988
# Example setting proxy
989
# extraEnvVars:
990
# - name: HTTPS_PROXY
991
# value: 'https://proxy.example.com:3128'
992
# -- Array of extra init containers
993
extraInitContainers: []
994
# - name: init-container
995
# image: busybox
996
# command: ['sh', '-c', 'echo Hello']
997
998
# -- Array of extra containers to run alongside kyverno
999
extraContainers: []
1000
# - name: myapp-container
1001
# image: busybox
1002
# command: ['sh', '-c', 'echo Hello && sleep 3600']
1003
1004
service:
1005
# -- Service port.
1006
port: 443
1007
# -- Service type.
1008
type: ClusterIP
1009
# -- Service node port.
1010
# Only used if `type` is `NodePort`.
1011
nodePort:
1012
# -- Service annotations.
1013
annotations: {}
1014
# -- (string) Service traffic distribution policy.
1015
# Set to `PreferClose` to route traffic to nearby endpoints, reducing latency and cross-zone costs.
1016
trafficDistribution: ~
1017
metricsService:
1018
# -- Create service.
1019
create: true
1020
# -- Service port.
1021
# Kyverno's metrics server will be exposed at this port.
1022
port: 8000
1023
# -- Service type.
1024
type: ClusterIP
1025
# -- Service node port.
1026
# Only used if `type` is `NodePort`.
1027
nodePort:
1028
# -- Service annotations.
1029
annotations: {}
1030
# -- (string) Service traffic distribution policy.
1031
# Set to `PreferClose` to route traffic to nearby endpoints, reducing latency and cross-zone costs.
1032
trafficDistribution: ~
1033
networkPolicy:
1034
# -- When true, use a NetworkPolicy to allow ingress to the webhook
1035
# This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
1036
enabled: false
1037
# -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
1038
ingressFrom: []
1039
serviceMonitor:
1040
# -- Create a `ServiceMonitor` to collect Prometheus metrics.
1041
enabled: false
1042
# -- Additional annotations
1043
additionalAnnotations: {}
1044
# -- Additional labels
1045
additionalLabels: {}
1046
# -- (string) Override namespace
1047
namespace: ~
1048
# -- Interval to scrape metrics
1049
interval: 30s
1050
# -- Timeout if metrics can't be retrieved in given time interval
1051
scrapeTimeout: 25s
1052
# -- Is TLS required for endpoint
1053
secure: false
1054
# -- TLS Configuration for endpoint
1055
tlsConfig: {}
1056
# -- RelabelConfigs to apply to samples before scraping
1057
relabelings: []
1058
# -- MetricRelabelConfigs to apply to samples before ingestion.
1059
metricRelabelings: []
1060
tracing:
1061
# -- Enable tracing
1062
enabled: false
1063
# -- Traces receiver address
1064
address:
1065
# -- Traces receiver port
1066
port:
1067
# -- Traces receiver credentials
1068
creds: ''
1069
metering:
1070
# -- Disable metrics export
1071
disabled: false
1072
# -- Otel configuration, can be `prometheus` or `grpc`
1073
config: prometheus
1074
# -- Prometheus endpoint port
1075
port: 8000
1076
# -- Otel collector endpoint
1077
collector: ''
1078
# -- Otel collector credentials
1079
creds: ''
1080
profiling:
1081
# -- Enable profiling
1082
enabled: false
1083
# -- Profiling endpoint port
1084
port: 6060
1085
# -- Service type.
1086
serviceType: ClusterIP
1087
# -- Service node port.
1088
# Only used if `type` is `NodePort`.
1089
nodePort:
1090
# Background controller configuration
1091
backgroundController:
1092
# -- Overrides features defined at the root level
1093
featuresOverride: {}
1094
# -- Enable background controller.
1095
enabled: true
1096
rbac:
1097
# -- Create RBAC resources
1098
create: true
1099
# -- Create rolebinding to view role
1100
createViewRoleBinding: true
1101
# -- The view role to use in the rolebinding
1102
viewRoleName: view
1103
serviceAccount:
1104
# -- Service account name
1105
name:
1106
# -- Annotations for the ServiceAccount
1107
annotations: {}
1108
# example.com/annotation: value
1109
1110
# -- Toggle automounting of the ServiceAccount
1111
automountServiceAccountToken: true
1112
coreClusterRole:
1113
# -- Extra resource permissions to add in the core cluster role.
1114
# This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`.
1115
# @default -- See [values.yaml](values.yaml)
1116
extraResources:
1117
- apiGroups:
1118
- networking.k8s.io
1119
resources:
1120
- ingresses
1121
- ingressclasses
1122
- networkpolicies
1123
verbs:
1124
- create
1125
- update
1126
- patch
1127
- delete
1128
- apiGroups:
1129
- rbac.authorization.k8s.io
1130
resources:
1131
- rolebindings
1132
- roles
1133
verbs:
1134
- create
1135
- update
1136
- patch
1137
- delete
1138
- apiGroups:
1139
- ''
1140
resources:
1141
- configmaps
1142
- resourcequotas
1143
- limitranges
1144
verbs:
1145
- create
1146
- update
1147
- patch
1148
- delete
1149
- apiGroups:
1150
- resource.k8s.io
1151
resources:
1152
- resourceclaims
1153
- resourceclaimtemplates
1154
verbs:
1155
- create
1156
- delete
1157
- update
1158
- patch
1159
- deletecollection
1160
clusterRole:
1161
# -- Extra resource permissions to add in the cluster role
1162
extraResources: []
1163
# - apiGroups:
1164
# - ''
1165
# resources:
1166
# - pods
1167
# verbs:
1168
# - create
1169
# - update
1170
# - delete
1171
# - patch
1172
image:
1173
# -- Image registry
1174
registry: cgr.dev
1175
defaultRegistry: reg.kyverno.io
1176
# -- Image repository
1177
repository: scratch-images/test-tmp/kyverno-background-controller
1178
# -- Image tag
1179
# Defaults to appVersion in Chart.yaml if omitted
1180
tag: 1.16.4-r7@sha256:89ff62db10f49a330f4dc4b599229bee4ed41954746edda623195b6a3799c11c
1181
# -- Image pull policy
1182
pullPolicy: IfNotPresent
1183
# -- Image pull secrets
1184
imagePullSecrets: []
1185
# - secretName
1186
1187
# -- (int) Desired number of pods
1188
replicas: ~
1189
# -- The number of revisions to keep
1190
revisionHistoryLimit: 10
1191
# -- Resync period for informers
1192
resyncPeriod: 15m
1193
# -- Additional labels to add to each pod
1194
podLabels: {}
1195
# example.com/label: foo
1196
1197
# -- Additional annotations to add to each pod
1198
podAnnotations: {}
1199
# example.com/annotation: foo
1200
1201
# -- Deployment annotations.
1202
annotations: {}
1203
# -- Deployment update strategy.
1204
# Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
1205
# @default -- See [values.yaml](values.yaml)
1206
updateStrategy:
1207
rollingUpdate:
1208
maxSurge: 1
1209
maxUnavailable: 40%
1210
type: RollingUpdate
1211
# -- Optional priority class
1212
priorityClassName: ''
1213
# -- Change `hostNetwork` to `true` when you want the pod to share its host's network namespace.
1214
# Useful for situations like when you end up dealing with a custom CNI over Amazon EKS.
1215
# Update the `dnsPolicy` accordingly as well to suit the host network mode.
1216
hostNetwork: false
1217
# -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster.
1218
# In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`.
1219
# For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
1220
dnsPolicy: ClusterFirst
1221
# -- `dnsConfig` allows to specify DNS configuration for the pod.
1222
# For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config.
1223
dnsConfig: {}
1224
# options:
1225
# - name: ndots
1226
# value: "2"
1227
1228
# -- Extra arguments passed to the container on the command line
1229
extraArgs: {}
1230
# -- Additional container environment variables.
1231
extraEnvVars: []
1232
# Example setting proxy
1233
# extraEnvVars:
1234
# - name: HTTPS_PROXY
1235
# value: 'https://proxy.example.com:3128'
1236
1237
resources:
1238
# -- Pod resource limits
1239
limits:
1240
memory: 128Mi
1241
# -- Pod resource requests
1242
requests:
1243
cpu: 100m
1244
memory: 64Mi
1245
# -- Node labels for pod assignment
1246
nodeSelector: {}
1247
# -- List of node taints to tolerate
1248
tolerations: []
1249
antiAffinity:
1250
# -- Pod antiAffinities toggle.
1251
# Enabled by default but can be disabled if you want to schedule pods to the same node.
1252
enabled: true
1253
# -- Pod anti affinity constraints.
1254
# @default -- See [values.yaml](values.yaml)
1255
podAntiAffinity:
1256
preferredDuringSchedulingIgnoredDuringExecution:
1257
- weight: 1
1258
podAffinityTerm:
1259
labelSelector:
1260
matchExpressions:
1261
- key: app.kubernetes.io/component
1262
operator: In
1263
values:
1264
- background-controller
1265
topologyKey: kubernetes.io/hostname
1266
# -- Pod affinity constraints.
1267
podAffinity: {}
1268
# -- Node affinity constraints.
1269
nodeAffinity: {}
1270
# -- Topology spread constraints.
1271
topologySpreadConstraints: []
1272
# -- Security context for the pod
1273
podSecurityContext: {}
1274
# -- Security context for the containers
1275
securityContext:
1276
runAsNonRoot: true
1277
privileged: false
1278
allowPrivilegeEscalation: false
1279
readOnlyRootFilesystem: true
1280
capabilities:
1281
drop:
1282
- ALL
1283
seccompProfile:
1284
type: RuntimeDefault
1285
podDisruptionBudget:
1286
# -- Enable PodDisruptionBudget.
1287
# Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.
1288
enabled: false
1289
# -- Configures the minimum available pods for disruptions.
1290
# Cannot be used if `maxUnavailable` is set.
1291
minAvailable: 1
1292
# -- Configures the maximum unavailable pods for disruptions.
1293
# Cannot be used if `minAvailable` is set.
1294
maxUnavailable:
1295
# -- Unhealthy pod eviction policy to be used.
1296
# Possible values are `IfHealthyBudget` or `AlwaysAllow`.
1297
unhealthyPodEvictionPolicy:
1298
caCertificates:
1299
# -- CA certificates to use with Kyverno deployments
1300
# This value is expected to be one large string of CA certificates
1301
data: ~
1302
# -- Volume to be mounted for CA certificates
1303
# Not used when `.Values.backgroundController.caCertificates.data` is defined
1304
volume: {}
1305
# Example to use hostPath:
1306
# hostPath:
1307
# path: /etc/pki/tls/ca-certificates.crt
1308
# type: File
1309
metricsService:
1310
# -- Create service.
1311
create: true
1312
# -- Service port.
1313
# Metrics server will be exposed at this port.
1314
port: 8000
1315
# -- Service type.
1316
type: ClusterIP
1317
# -- Service node port.
1318
# Only used if `metricsService.type` is `NodePort`.
1319
nodePort:
1320
# -- Service annotations.
1321
annotations: {}
1322
# -- (string) Service traffic distribution policy.
1323
# Set to `PreferClose` to route traffic to nearby endpoints, reducing latency and cross-zone costs.
1324
trafficDistribution: ~
1325
networkPolicy:
1326
# -- When true, use a NetworkPolicy to allow ingress to the webhook
1327
# This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
1328
enabled: false
1329
# -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
1330
ingressFrom: []
1331
serviceMonitor:
1332
# -- Create a `ServiceMonitor` to collect Prometheus metrics.
1333
enabled: false
1334
# -- Additional annotations
1335
additionalAnnotations: {}
1336
# -- Additional labels
1337
additionalLabels: {}
1338
# -- (string) Override namespace
1339
namespace: ~
1340
# -- Interval to scrape metrics
1341
interval: 30s
1342
# -- Timeout if metrics can't be retrieved in given time interval
1343
scrapeTimeout: 25s
1344
# -- Is TLS required for endpoint
1345
secure: false
1346
# -- TLS Configuration for endpoint
1347
tlsConfig: {}
1348
# -- RelabelConfigs to apply to samples before scraping
1349
relabelings: []
1350
# -- MetricRelabelConfigs to apply to samples before ingestion.
1351
metricRelabelings: []
1352
tracing:
1353
# -- Enable tracing
1354
enabled: false
1355
# -- Traces receiver address
1356
address:
1357
# -- Traces receiver port
1358
port:
1359
# -- Traces receiver credentials
1360
creds: ''
1361
metering:
1362
# -- Disable metrics export
1363
disabled: false
1364
# -- Otel configuration, can be `prometheus` or `grpc`
1365
config: prometheus
1366
# -- Prometheus endpoint port
1367
port: 8000
1368
# -- Otel collector endpoint
1369
collector: ''
1370
# -- Otel collector credentials
1371
creds: ''
1372
# -- backgroundController server port
1373
# in case you are using hostNetwork: true, you might want to change the port the backgroundController is listening to
1374
server:
1375
port: 9443
1376
profiling:
1377
# -- Enable profiling
1378
enabled: false
1379
# -- Profiling endpoint port
1380
port: 6060
1381
# -- Service type.
1382
serviceType: ClusterIP
1383
# -- Service node port.
1384
# Only used if `type` is `NodePort`.
1385
nodePort:
1386
# Cleanup controller configuration
1387
cleanupController:
1388
# -- Overrides features defined at the root level
1389
featuresOverride: {}
1390
# -- Enable cleanup controller.
1391
enabled: true
1392
rbac:
1393
# -- Create RBAC resources
1394
create: true
1395
serviceAccount:
1396
# -- Service account name
1397
name:
1398
# -- Annotations for the ServiceAccount
1399
annotations: {}
1400
# example.com/annotation: value
1401
1402
# -- Toggle automounting of the ServiceAccount
1403
automountServiceAccountToken: true
1404
clusterRole:
1405
# -- Extra resource permissions to add in the cluster role
1406
extraResources: []
1407
# - apiGroups:
1408
# - ''
1409
# resources:
1410
# - pods
1411
# verbs:
1412
# - delete
1413
# - list
1414
# - watch
1415
# -- Create self-signed certificates at deployment time.
1416
# The certificates won't be automatically renewed if this is set to `true`.
1417
createSelfSignedCert: false
1418
image:
1419
# -- Image registry
1420
registry: cgr.dev
1421
defaultRegistry: reg.kyverno.io
1422
# -- Image repository
1423
repository: scratch-images/test-tmp/kyverno-cleanup-controller
1424
# -- (string) Image tag
1425
# Defaults to appVersion in Chart.yaml if omitted
1426
tag: 1.16.4-r7@sha256:e28b60ea3191cb8160fe06e4f2c4472bf0e700fc5865920a1bf229307dfaa87c
1427
# -- Image pull policy
1428
pullPolicy: IfNotPresent
1429
# -- Image pull secrets
1430
imagePullSecrets: []
1431
# - secretName
1432
1433
# -- (int) Desired number of pods
1434
replicas: ~
1435
# -- The number of revisions to keep
1436
revisionHistoryLimit: 10
1437
# -- Resync period for informers
1438
resyncPeriod: 15m
1439
# -- Additional labels to add to each pod
1440
podLabels: {}
1441
# example.com/label: foo
1442
1443
# -- Additional annotations to add to each pod
1444
podAnnotations: {}
1445
# example.com/annotation: foo
1446
1447
# -- Deployment annotations.
1448
annotations: {}
1449
# -- Deployment update strategy.
1450
# Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
1451
# @default -- See [values.yaml](values.yaml)
1452
updateStrategy:
1453
rollingUpdate:
1454
maxSurge: 1
1455
maxUnavailable: 40%
1456
type: RollingUpdate
1457
# -- Optional priority class
1458
priorityClassName: ''
1459
# -- Change `hostNetwork` to `true` when you want the pod to share its host's network namespace.
1460
# Useful for situations like when you end up dealing with a custom CNI over Amazon EKS.
1461
# Update the `dnsPolicy` accordingly as well to suit the host network mode.
1462
hostNetwork: false
1463
# -- cleanupController server port
1464
# in case you are using hostNetwork: true, you might want to change the port the cleanupController is listening to
1465
server:
1466
port: 9443
1467
# -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster.
1468
# In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`.
1469
# For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
1470
dnsPolicy: ClusterFirst
1471
# -- `dnsConfig` allows to specify DNS configuration for the pod.
1472
# For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config.
1473
dnsConfig: {}
1474
# options:
1475
# - name: ndots
1476
# value: "2"
1477
1478
# -- Extra arguments passed to the container on the command line
1479
extraArgs: {}
1480
# -- Additional container environment variables.
1481
extraEnvVars: []
1482
# Example setting proxy
1483
# extraEnvVars:
1484
# - name: HTTPS_PROXY
1485
# value: 'https://proxy.example.com:3128'
1486
1487
resources:
1488
# -- Pod resource limits
1489
limits:
1490
memory: 128Mi
1491
# -- Pod resource requests
1492
requests:
1493
cpu: 100m
1494
memory: 64Mi
1495
# -- Startup probe.
1496
# The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want.
1497
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
1498
# @default -- See [values.yaml](values.yaml)
1499
startupProbe:
1500
httpGet:
1501
path: /health/liveness
1502
port: 9443
1503
scheme: HTTPS
1504
failureThreshold: 20
1505
initialDelaySeconds: 2
1506
periodSeconds: 6
1507
# -- Liveness probe.
1508
# The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want.
1509
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
1510
# @default -- See [values.yaml](values.yaml)
1511
livenessProbe:
1512
httpGet:
1513
path: /health/liveness
1514
port: 9443
1515
scheme: HTTPS
1516
initialDelaySeconds: 15
1517
periodSeconds: 30
1518
timeoutSeconds: 5
1519
failureThreshold: 2
1520
successThreshold: 1
1521
# -- Readiness Probe.
1522
# The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want.
1523
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
1524
# @default -- See [values.yaml](values.yaml)
1525
readinessProbe:
1526
httpGet:
1527
path: /health/readiness
1528
port: 9443
1529
scheme: HTTPS
1530
initialDelaySeconds: 5
1531
periodSeconds: 10
1532
timeoutSeconds: 5
1533
failureThreshold: 6
1534
successThreshold: 1
1535
# -- Node labels for pod assignment
1536
nodeSelector: {}
1537
# -- List of node taints to tolerate
1538
tolerations: []
1539
antiAffinity:
1540
# -- Pod antiAffinities toggle.
1541
# Enabled by default but can be disabled if you want to schedule pods to the same node.
1542
enabled: true
1543
# -- Pod anti affinity constraints.
1544
# @default -- See [values.yaml](values.yaml)
1545
podAntiAffinity:
1546
preferredDuringSchedulingIgnoredDuringExecution:
1547
- weight: 1
1548
podAffinityTerm:
1549
labelSelector:
1550
matchExpressions:
1551
- key: app.kubernetes.io/component
1552
operator: In
1553
values:
1554
- cleanup-controller
1555
topologyKey: kubernetes.io/hostname
1556
# -- Pod affinity constraints.
1557
podAffinity: {}
1558
# -- Node affinity constraints.
1559
nodeAffinity: {}
1560
# -- Topology spread constraints.
1561
topologySpreadConstraints: []
1562
# -- Security context for the pod
1563
podSecurityContext: {}
1564
# -- Security context for the containers
1565
securityContext:
1566
runAsNonRoot: true
1567
privileged: false
1568
allowPrivilegeEscalation: false
1569
readOnlyRootFilesystem: true
1570
capabilities:
1571
drop:
1572
- ALL
1573
seccompProfile:
1574
type: RuntimeDefault
1575
podDisruptionBudget:
1576
# -- Enable PodDisruptionBudget.
1577
# Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.
1578
enabled: false
1579
# -- Configures the minimum available pods for disruptions.
1580
# Cannot be used if `maxUnavailable` is set.
1581
minAvailable: 1
1582
# -- Configures the maximum unavailable pods for disruptions.
1583
# Cannot be used if `minAvailable` is set.
1584
maxUnavailable:
1585
# -- Unhealthy pod eviction policy to be used.
1586
# Possible values are `IfHealthyBudget` or `AlwaysAllow`.
1587
unhealthyPodEvictionPolicy:
1588
service:
1589
# -- Service port.
1590
port: 443
1591
# -- Service type.
1592
type: ClusterIP
1593
# -- Service node port.
1594
# Only used if `service.type` is `NodePort`.
1595
nodePort:
1596
# -- Service annotations.
1597
annotations: {}
1598
# -- (string) Service traffic distribution policy.
1599
# Set to `PreferClose` to route traffic to nearby endpoints, reducing latency and cross-zone costs.
1600
trafficDistribution: ~
1601
metricsService:
1602
# -- Create service.
1603
create: true
1604
# -- Service port.
1605
# Metrics server will be exposed at this port.
1606
port: 8000
1607
# -- Service type.
1608
type: ClusterIP
1609
# -- Service node port.
1610
# Only used if `metricsService.type` is `NodePort`.
1611
nodePort:
1612
# -- Service annotations.
1613
annotations: {}
1614
# -- (string) Service traffic distribution policy.
1615
# Set to `PreferClose` to route traffic to nearby endpoints, reducing latency and cross-zone costs.
1616
trafficDistribution: ~
1617
networkPolicy:
1618
# -- When true, use a NetworkPolicy to allow ingress to the webhook
1619
# This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
1620
enabled: false
1621
# -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
1622
ingressFrom: []
1623
serviceMonitor:
1624
# -- Create a `ServiceMonitor` to collect Prometheus metrics.
1625
enabled: false
1626
# -- Additional annotations
1627
additionalAnnotations: {}
1628
# -- Additional labels
1629
additionalLabels: {}
1630
# -- (string) Override namespace
1631
namespace: ~
1632
# -- Interval to scrape metrics
1633
interval: 30s
1634
# -- Timeout if metrics can't be retrieved in given time interval
1635
scrapeTimeout: 25s
1636
# -- Is TLS required for endpoint
1637
secure: false
1638
# -- TLS Configuration for endpoint
1639
tlsConfig: {}
1640
# -- RelabelConfigs to apply to samples before scraping
1641
relabelings: []
1642
# -- MetricRelabelConfigs to apply to samples before ingestion.
1643
metricRelabelings: []
1644
tracing:
1645
# -- Enable tracing
1646
enabled: false
1647
# -- Traces receiver address
1648
address:
1649
# -- Traces receiver port
1650
port:
1651
# -- Traces receiver credentials
1652
creds: ''
1653
metering:
1654
# -- Disable metrics export
1655
disabled: false
1656
# -- Otel configuration, can be `prometheus` or `grpc`
1657
config: prometheus
1658
# -- Prometheus endpoint port
1659
port: 8000
1660
# -- Otel collector endpoint
1661
collector: ''
1662
# -- Otel collector credentials
1663
creds: ''
1664
profiling:
1665
# -- Enable profiling
1666
enabled: false
1667
# -- Profiling endpoint port
1668
port: 6060
1669
# -- Service type.
1670
serviceType: ClusterIP
1671
# -- Service node port.
1672
# Only used if `type` is `NodePort`.
1673
nodePort:
1674
# Reports controller configuration
1675
reportsController:
1676
# -- Overrides features defined at the root level
1677
featuresOverride: {}
1678
# -- Enable reports controller.
1679
enabled: true
1680
rbac:
1681
# -- Create RBAC resources
1682
create: true
1683
# -- Create rolebinding to view role
1684
createViewRoleBinding: true
1685
# -- The view role to use in the rolebinding
1686
viewRoleName: view
1687
serviceAccount:
1688
# -- Service account name
1689
name:
1690
# -- Annotations for the ServiceAccount
1691
annotations: {}
1692
# example.com/annotation: value
1693
1694
# -- Toggle automounting of the ServiceAccount
1695
automountServiceAccountToken: true
1696
coreClusterRole:
1697
# -- Extra resource permissions to add in the core cluster role.
1698
# This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`.
1699
# @default -- See [values.yaml](values.yaml)
1700
extraResources: []
1701
clusterRole:
1702
# -- Extra resource permissions to add in the cluster role
1703
extraResources: []
1704
# - apiGroups:
1705
# - ''
1706
# resources:
1707
# - pods
1708
image:
1709
# -- Image registry
1710
registry: cgr.dev
1711
defaultRegistry: reg.kyverno.io
1712
# -- Image repository
1713
repository: scratch-images/test-tmp/kyverno-reports-controller
1714
# -- (string) Image tag
1715
# Defaults to appVersion in Chart.yaml if omitted
1716
tag: 1.16.4-r7@sha256:940a40665c4d84ec284afad19f688a9df7573dca6b54979059726f2e3ea3ab03
1717
# -- Image pull policy
1718
pullPolicy: IfNotPresent
1719
# -- Image pull secrets
1720
imagePullSecrets: []
1721
# - secretName
1722
1723
# -- (int) Desired number of pods
1724
replicas: ~
1725
# -- The number of revisions to keep
1726
revisionHistoryLimit: 10
1727
# -- Resync period for informers
1728
resyncPeriod: 15m
1729
# -- Additional labels to add to each pod
1730
podLabels: {}
1731
# example.com/label: foo
1732
1733
# -- Additional annotations to add to each pod
1734
podAnnotations: {}
1735
# example.com/annotation: foo
1736
1737
# -- Deployment annotations.
1738
annotations: {}
1739
# -- Deployment update strategy.
1740
# Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
1741
# @default -- See [values.yaml](values.yaml)
1742
updateStrategy:
1743
rollingUpdate:
1744
maxSurge: 1
1745
maxUnavailable: 40%
1746
type: RollingUpdate
1747
# -- Optional priority class
1748
priorityClassName: ''
1749
# -- Change `apiPriorityAndFairness` to `true` if you want to insulate the API calls made by Kyverno reports controller activities.
1750
# This will help ensure Kyverno reports stability in busy clusters.
1751
# Ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/
1752
apiPriorityAndFairness: false
1753
# -- Priority level configuration.
1754
# The block is directly forwarded into the priorityLevelConfiguration, so you can use whatever specification you want.
1755
# ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/#prioritylevelconfiguration
1756
# @default -- See [values.yaml](values.yaml)
1757
priorityLevelConfigurationSpec:
1758
type: Limited
1759
limited:
1760
nominalConcurrencyShares: 10
1761
limitResponse:
1762
queuing:
1763
queueLengthLimit: 50
1764
type: Queue
1765
# -- Change `hostNetwork` to `true` when you want the pod to share its host's network namespace.
1766
# Useful for situations like when you end up dealing with a custom CNI over Amazon EKS.
1767
# Update the `dnsPolicy` accordingly as well to suit the host network mode.
1768
hostNetwork: false
1769
# -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster.
1770
# In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`.
1771
# For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
1772
dnsPolicy: ClusterFirst
1773
# -- `dnsConfig` allows to specify DNS configuration for the pod.
1774
# For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config.
1775
dnsConfig: {}
1776
# options:
1777
# - name: ndots
1778
# value: "2"
1779
1780
# -- Extra arguments passed to the container on the command line
1781
extraArgs: {}
1782
# -- Additional container environment variables.
1783
extraEnvVars: []
1784
# Example setting proxy
1785
# extraEnvVars:
1786
# - name: HTTPS_PROXY
1787
# value: 'https://proxy.example.com:3128'
1788
1789
resources:
1790
# -- Pod resource limits
1791
limits:
1792
memory: 128Mi
1793
# -- Pod resource requests
1794
requests:
1795
cpu: 100m
1796
memory: 64Mi
1797
# -- Node labels for pod assignment
1798
nodeSelector: {}
1799
# -- List of node taints to tolerate
1800
tolerations: []
1801
antiAffinity:
1802
# -- Pod antiAffinities toggle.
1803
# Enabled by default but can be disabled if you want to schedule pods to the same node.
1804
enabled: true
1805
# -- Pod anti affinity constraints.
1806
# @default -- See [values.yaml](values.yaml)
1807
podAntiAffinity:
1808
preferredDuringSchedulingIgnoredDuringExecution:
1809
- weight: 1
1810
podAffinityTerm:
1811
labelSelector:
1812
matchExpressions:
1813
- key: app.kubernetes.io/component
1814
operator: In
1815
values:
1816
- reports-controller
1817
topologyKey: kubernetes.io/hostname
1818
# -- Pod affinity constraints.
1819
podAffinity: {}
1820
# -- Node affinity constraints.
1821
nodeAffinity: {}
1822
# -- Topology spread constraints.
1823
topologySpreadConstraints: []
1824
# -- Security context for the pod
1825
podSecurityContext: {}
1826
# -- Security context for the containers
1827
securityContext:
1828
runAsNonRoot: true
1829
privileged: false
1830
allowPrivilegeEscalation: false
1831
readOnlyRootFilesystem: true
1832
capabilities:
1833
drop:
1834
- ALL
1835
seccompProfile:
1836
type: RuntimeDefault
1837
podDisruptionBudget:
1838
# -- Enable PodDisruptionBudget.
1839
# Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.
1840
enabled: false
1841
# -- Configures the minimum available pods for disruptions.
1842
# Cannot be used if `maxUnavailable` is set.
1843
minAvailable: 1
1844
# -- Configures the maximum unavailable pods for disruptions.
1845
# Cannot be used if `minAvailable` is set.
1846
maxUnavailable:
1847
# -- Unhealthy pod eviction policy to be used.
1848
# Possible values are `IfHealthyBudget` or `AlwaysAllow`.
1849
unhealthyPodEvictionPolicy:
1850
# -- A writable volume to use for the TUF root initialization.
1851
tufRootMountPath: /.sigstore
1852
# -- Volume to be mounted in pods for TUF/cosign work.
1853
sigstoreVolume:
1854
emptyDir: {}
1855
caCertificates:
1856
# -- CA certificates to use with Kyverno deployments
1857
# This value is expected to be one large string of CA certificates
1858
data: ~
1859
# -- Volume to be mounted for CA certificates
1860
# Not used when `.Values.reportsController.caCertificates.data` is defined
1861
volume: {}
1862
# Example to use hostPath:
1863
# hostPath:
1864
# path: /etc/pki/tls/ca-certificates.crt
1865
# type: File
1866
metricsService:
1867
# -- Create service.
1868
create: true
1869
# -- Service port.
1870
# Metrics server will be exposed at this port.
1871
port: 8000
1872
# -- Service type.
1873
type: ClusterIP
1874
# -- (string) Service node port.
1875
# Only used if `type` is `NodePort`.
1876
nodePort: ~
1877
# -- Service annotations.
1878
annotations: {}
1879
# -- (string) Service traffic distribution policy.
1880
# Set to `PreferClose` to route traffic to nearby endpoints, reducing latency and cross-zone costs.
1881
trafficDistribution: ~
1882
networkPolicy:
1883
# -- When true, use a NetworkPolicy to allow ingress to the webhook
1884
# This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
1885
enabled: false
1886
# -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
1887
ingressFrom: []
1888
serviceMonitor:
1889
# -- Create a `ServiceMonitor` to collect Prometheus metrics.
1890
enabled: false
1891
# -- Additional annotations
1892
additionalAnnotations: {}
1893
# -- Additional labels
1894
additionalLabels: {}
1895
# -- (string) Override namespace
1896
namespace: ~
1897
# -- Interval to scrape metrics
1898
interval: 30s
1899
# -- Timeout if metrics can't be retrieved in given time interval
1900
scrapeTimeout: 25s
1901
# -- Is TLS required for endpoint
1902
secure: false
1903
# -- TLS Configuration for endpoint
1904
tlsConfig: {}
1905
# -- RelabelConfigs to apply to samples before scraping
1906
relabelings: []
1907
# -- MetricRelabelConfigs to apply to samples before ingestion.
1908
metricRelabelings: []
1909
tracing:
1910
# -- Enable tracing
1911
enabled: false
1912
# -- (string) Traces receiver address
1913
address: ~
1914
# -- (string) Traces receiver port
1915
port: ~
1916
# -- (string) Traces receiver credentials
1917
creds: ~
1918
metering:
1919
# -- Disable metrics export
1920
disabled: false
1921
# -- Otel configuration, can be `prometheus` or `grpc`
1922
config: prometheus
1923
# -- Prometheus endpoint port
1924
port: 8000
1925
# -- (string) Otel collector endpoint
1926
collector: ~
1927
# -- (string) Otel collector credentials
1928
creds: ~
1929
# -- reportsController server port
1930
# in case you are using hostNetwork: true, you might want to change the port the reportsController is listening to
1931
server:
1932
port: 9443
1933
profiling:
1934
# -- Enable profiling
1935
enabled: false
1936
# -- Profiling endpoint port
1937
port: 6060
1938
# -- Service type.
1939
serviceType: ClusterIP
1940
# -- Service node port.
1941
# Only used if `type` is `NodePort`.
1942
nodePort:
1943
# -- Enable sanity check for reports CRDs
1944
sanityChecks: true
1945

The trusted source for open source

Talk to an expert
PrivacyTerms

Product

Chainguard ContainersChainguard LibrariesChainguard VMsChainguard OS PackagesChainguard ActionsChainguard Agent SkillsIntegrationsPricing

Solutions

FedRAMPPCI DSSCMMC 2.0SOC 2Golden ImagesCVE RemediationPublic SectorStartups

Customers

Customer StoriesChainguard Reviews

Resources

Events & WebinarsSupply Chain Security 101Chainguard CoursesDocumentationTrust CenterChainguard Slack Community

Company

About UsBlogOpen Source LeadershipPartnersNewsroomCareersLegal
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.