Kyverno
Описание
Kyverno добавляет возможность создания политик для управления кластером.
Дополнительные модули
Для подключения UI потребуется модуль policy-reporter
Подключение модуля Kyverno
Описание Yaml
Внимание!
Values без описания (1) являются продвинутыми настройками и редактировать их не рекомендовано
- Описание
apiVersion: addon.bootsman.tech/v1alpha1
kind: Config
metadata:
name: CLUSTER_NAME-kyverno
namespace: CLUSTER_NAMESPACE
spec:
enabled: true (1)
values:
admissionController:
container:
image:
registry: harbor.bootsman.host/bootsman-nimbus/common-artifacts
repository: kyverno
initContainer:
image:
registry: harbor.bootsman.host/bootsman-nimbus/common-artifacts
repository: kyvernopre
backgroundController:
image:
registry: harbor.bootsman.host/bootsman-nimbus/common-artifacts
repository: background-controller
cleanupController:
image:
registry: harbor.bootsman.host/bootsman-nimbus/common-artifacts
repository: cleanup-controller
cleanupJobs:
admissionReports:
image:
registry: harbor.bootsman.host/bootsman-nimbus/common-artifacts
repository: bitnami-kubectl
tag: 1.28.4
clusterAdmissionReports:
image:
registry: harbor.bootsman.host/bootsman-nimbus/common-artifacts
repository: bitnami-kubectl
tag: 1.28.4
reportsController:
image:
registry: harbor.bootsman.host/bootsman-nimbus/common-artifacts
repository: reports-controller
test:
image:
registry: harbor.bootsman.host/bootsman-nimbus/common-artifacts
repository: busybox
webhooksCleanup:
image: >-
harbor.bootsman.host/bootsman-nimbus/common-artifacts/bitnami-kubectl:1.28.4
- True - включено.
False - выключено
Настройка в UI
Все Values
Продвинутые настройки
Ниже представлены тонкие настройки модуля.
Используйте их для расширения конфигурации модуля, если потребуется.
Документация
Более полная документация по модулю:
Kyverno Cloud
Kyverno Chart
Kyverno Values
values:
# -- Internal settings used with `helm template` to generate install manifest
# @ignored
templating:
enabled: false
debug: false
version: ~
# -- (string) Override the name of the chart
nameOverride: ~
# -- (string) Override the expanded name of the chart
fullnameOverride: ~
# -- (string) Override the namespace the chart deploys to
namespaceOverride: ~
upgrade:
# -- Upgrading from v2 to v3 is not allowed by default, set this to true once changes have been reviewed.
fromV2: false
apiVersionOverride:
# -- (string) Override api version used to create `PodDisruptionBudget`` resources.
# When not specified the chart will check if `policy/v1/PodDisruptionBudget` is available to
# determine the api version automatically.
podDisruptionBudget: ~
# CRDs configuration
crds:
# -- Whether to have Helm install the Kyverno CRDs, if the CRDs are not installed by Helm, they must be added before policies can be created
install: true
# -- Additional CRDs annotations
annotations: {}
# argocd.argoproj.io/sync-options: Replace=true
# strategy.spinnaker.io/replace: 'true'
# Configuration
config:
# -- Create the configmap.
create: true
# -- (string) The configmap name (required if `create` is `false`).
name: ~
# -- Additional annotations to add to the configmap.
annotations: {}
# -- Enable registry mutation for container images. Enabled by default.
enableDefaultRegistryMutation: true
# -- The registry hostname used for the image mutation.
defaultRegistry: docker.io
# -- Exclude groups
excludeGroups:
- system:nodes
# -- Exclude usernames
excludeUsernames: []
# - '!system:kube-scheduler'
# -- Exclude roles
excludeRoles: []
# -- Exclude roles
excludeClusterRoles: []
# -- Generate success events.
generateSuccessEvents: false
# -- Resource types to be skipped by the Kyverno policy engine.
# Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list.
# These are joined together without spaces, run through `tpl`, and the result is set in the config map.
# @default -- See [values.yaml](values.yaml)
resourceFilters:
- '[Event,*,*]'
- '[*/*,kube-system,*]'
- '[*/*,kube-public,*]'
- '[*/*,kube-node-lease,*]'
- '[Node,*,*]'
- '[Node/*,*,*]'
- '[APIService,*,*]'
- '[APIService/*,*,*]'
- '[TokenReview,*,*]'
- '[SubjectAccessReview,*,*]'
- '[SelfSubjectAccessReview,*,*]'
- '[Binding,*,*]'
- '[Pod/binding,*,*]'
- '[ReplicaSet,*,*]'
- '[ReplicaSet/*,*,*]'
- '[AdmissionReport,*,*]'
- '[AdmissionReport/*,*,*]'
- '[ClusterAdmissionReport,*,*]'
- '[ClusterAdmissionReport/*,*,*]'
- '[BackgroundScanReport,*,*]'
- '[BackgroundScanReport/*,*,*]'
- '[ClusterBackgroundScanReport,*,*]'
- '[ClusterBackgroundScanReport/*,*,*]'
# exclude resources from the chart
- '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}]'
- '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}:core]'
- '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}:additional]'
- '[ClusterRole,*,{{ template "kyverno.background-controller.roleName" . }}]'
- '[ClusterRole,*,{{ template "kyverno.background-controller.roleName" . }}:core]'
- '[ClusterRole,*,{{ template "kyverno.background-controller.roleName" . }}:additional]'
- '[ClusterRole,*,{{ template "kyverno.cleanup-controller.roleName" . }}]'
- '[ClusterRole,*,{{ template "kyverno.cleanup-controller.roleName" . }}:core]'
- '[ClusterRole,*,{{ template "kyverno.cleanup-controller.roleName" . }}:additional]'
- '[ClusterRole,*,{{ template "kyverno.reports-controller.roleName" . }}]'
- '[ClusterRole,*,{{ template "kyverno.reports-controller.roleName" . }}:core]'
- '[ClusterRole,*,{{ template "kyverno.reports-controller.roleName" . }}:additional]'
- '[ClusterRoleBinding,*,{{ template "kyverno.admission-controller.roleName" . }}]'
- '[ClusterRoleBinding,*,{{ template "kyverno.background-controller.roleName" . }}]'
- '[ClusterRoleBinding,*,{{ template "kyverno.cleanup-controller.roleName" . }}]'
- '[ClusterRoleBinding,*,{{ template "kyverno.reports-controller.roleName" . }}]'
- '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceAccountName" . }}]'
- '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceAccountName" . }}]'
- '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.serviceAccountName" . }}]'
- '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.serviceAccountName" . }}]'
- '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.serviceAccountName" . }}]'
- '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.serviceAccountName" . }}]'
- '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.serviceAccountName" . }}]'
- '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.serviceAccountName" . }}]'
- '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.roleName" . }}]'
- '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.roleName" . }}]'
- '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.roleName" . }}]'
- '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.roleName" . }}]'
- '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.roleName" . }}]'
- '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.roleName" . }}]'
- '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.roleName" . }}]'
- '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.roleName" . }}]'
- '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.config.configMapName" . }}]'
- '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.config.metricsConfigMapName" . }}]'
- '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
- '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
- '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
- '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
- '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
- '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
- '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
- '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
- '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}-*]'
- '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}-*]'
- '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-*]'
- '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-*]'
- '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-*]'
- '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-*]'
- '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-*]'
- '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-*]'
- '[Job,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-hook-pre-delete]'
- '[Job/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-hook-pre-delete]'
- '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
- '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
- '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
- '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
- '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
- '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
- '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
- '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
- '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
- '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
- '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
- '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
- '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
- '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
- '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
- '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}]'
- '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}]'
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}-metrics]'
- '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}-metrics]'
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-metrics]'
- '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-metrics]'
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
- '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-metrics]'
- '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-metrics]'
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-metrics]'
- '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-metrics]'
- '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.admission-controller.name" . }}]'
- '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.background-controller.name" . }}]'
- '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.cleanup-controller.name" . }}]'
- '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.reports-controller.name" . }}]'
- '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.*]'
- '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.*]'
# -- Defines the `namespaceSelector` in the webhook configurations.
# Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element
# will be forwarded to the webhook configurations.
# The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default)
webhooks: []
# Exclude namespaces
# - namespaceSelector:
# matchExpressions:
# - key: kubernetes.io/metadata.name
# operator: NotIn
# values:
# - kube-system
# - kyverno
# Exclude objects
# - objectSelector:
# matchExpressions:
# - key: webhooks.kyverno.io/exclude
# operator: DoesNotExist
# -- Defines annotations to set on webhook configurations.
webhookAnnotations: {}
# Example to disable admission enforcer on AKS:
# 'admissions.enforcer/disabled': 'true'
# -- Exclude Kyverno namespace
# Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters
excludeKyvernoNamespace: true
# -- resourceFilter namespace exclude
# Namespaces to exclude from the default resourceFilters
resourceFiltersExcludeNamespaces: []
# Metrics configuration
metricsConfig:
# -- Create the configmap.
create: true
# -- (string) The configmap name (required if `create` is `false`).
name: ~
# -- Additional annotations to add to the configmap.
annotations: {}
namespaces:
# -- List of namespaces to capture metrics for.
include: []
# -- list of namespaces to NOT capture metrics for.
exclude: []
# -- (string) Rate at which metrics should reset so as to clean up the memory footprint of kyverno metrics, if you might be expecting high memory footprint of Kyverno's metrics. Default: 0, no refresh of metrics
metricsRefreshInterval: ~
# metricsRefreshInterval: 24h
# -- Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument
imagePullSecrets: {}
# regcred:
# registry: foo.example.com
# username: foobar
# password: secret
# regcred2:
# registry: bar.example.com
# username: barbaz
# password: secret2
# -- Existing Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument
existingImagePullSecrets: []
# - test-registry
# - other-test-registry
# Tests configuration
test:
image:
# -- (string) Image registry
registry: ~
# -- Image repository
repository: busybox
# -- Image tag
# Defaults to `latest` if omitted
tag: '1.35'
# -- (string) Image pull policy
# Defaults to image.pullPolicy if omitted
pullPolicy: ~
resources:
# -- Pod resource limits
limits:
cpu: 100m
memory: 256Mi
# -- Pod resource requests
requests:
cpu: 10m
memory: 64Mi
# -- Security context for the test containers
securityContext:
runAsUser: 65534
runAsGroup: 65534
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
# -- Additional labels
customLabels: {}
webhooksCleanup:
# -- Create a helm pre-delete hook to cleanup webhooks.
enabled: true
# -- `kubectl` image to run commands for deleting webhooks.
image: bitnami/kubectl:latest
# -- Image pull secrets
imagePullSecrets: []
# -- Node labels for pod assignment
nodeSelector: {}
# -- List of node taints to tolerate
tolerations: []
# -- Pod anti affinity constraints.
podAntiAffinity: {}
# -- Pod affinity constraints.
podAffinity: {}
# -- Node affinity constraints.
nodeAffinity: {}
grafana:
# -- Enable grafana dashboard creation.
enabled: false
# -- Configmap name template.
configMapName: '{{ include "kyverno.fullname" . }}-grafana'
# -- (string) Namespace to create the grafana dashboard configmap.
# If not set, it will be created in the same namespace where the chart is deployed.
namespace: ~
# -- Grafana dashboard configmap annotations.
annotations: {}
# -- Grafana dashboard configmap labels
labels:
grafana_dashboard: "1"
# Features configuration
features:
admissionReports:
# -- Enables the feature
enabled: true
policyReports:
# -- Enables the feature
enabled: true
autoUpdateWebhooks:
# -- Enables the feature
enabled: true
backgroundScan:
# -- Enables the feature
enabled: true
# -- Number of background scan workers
backgroundScanWorkers: 2
# -- Background scan interval
backgroundScanInterval: 1h
# -- Skips resource filters in background scan
skipResourceFilters: true
configMapCaching:
# -- Enables the feature
enabled: true
deferredLoading:
# -- Enables the feature
enabled: true
dumpPayload:
# -- Enables the feature
enabled: false
forceFailurePolicyIgnore:
# -- Enables the feature
enabled: false
logging:
# -- Logging format
format: text
# -- Logging verbosity
verbosity: 2
omitEvents:
# -- Events which should not be emitted (possible values `PolicyViolation`, `PolicyApplied`, `PolicyError`, and `PolicySkipped`)
eventTypes: []
# - PolicyViolation
# - PolicyApplied
# - PolicyError
# - PolicySkipped
policyExceptions:
# -- Enables the feature
enabled: false
# -- Restrict policy exceptions to a single namespace
namespace: ''
protectManagedResources:
# -- Enables the feature
enabled: false
registryClient:
# -- Allow insecure registry
allowInsecure: false
# -- Enable registry client helpers
credentialHelpers:
- default
- google
- amazon
- azure
- github
reports:
# -- Reports chunk size
chunkSize: 1000
# Cleanup cronjobs to prevent internal resources from stacking up in the cluster
cleanupJobs:
admissionReports:
# -- Enable cleanup cronjob
enabled: true
image:
# -- (string) Image registry
registry: ~
# -- Image repository
repository: bitnami/kubectl
# -- Image tag
# Defaults to `latest` if omitted
tag: '1.26.4'
# -- (string) Image pull policy
# Defaults to image.pullPolicy if omitted
pullPolicy: ~
# -- Image pull secrets
imagePullSecrets: []
# - name: secretName
# -- Cronjob schedule
schedule: '*/10 * * * *'
# -- Reports threshold, if number of reports are above this value the cronjob will start deleting them
threshold: 10000
# -- Cronjob history
history:
success: 1
failure: 1
# -- Security context for the pod
podSecurityContext: {}
# -- Security context for the containers
securityContext:
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
# -- Job resources
resources: {}
# -- List of node taints to tolerate
tolerations: []
# -- Node labels for pod assignment
nodeSelector: {}
# -- Pod Annotations
podAnnotations: {}
# -- Pod labels
podLabels: {}
# -- Pod anti affinity constraints.
podAntiAffinity: {}
# -- Pod affinity constraints.
podAffinity: {}
# -- Node affinity constraints.
nodeAffinity: {}
clusterAdmissionReports:
# -- Enable cleanup cronjob
enabled: true
image:
# -- (string) Image registry
registry: ~
# -- Image repository
repository: bitnami/kubectl
# -- Image tag
# Defaults to `latest` if omitted
tag: '1.26.4'
# -- (string) Image pull policy
# Defaults to image.pullPolicy if omitted
pullPolicy: ~
# -- Image pull secrets
imagePullSecrets: []
# - name: secretName
# -- Cronjob schedule
schedule: '*/10 * * * *'
# -- Reports threshold, if number of reports are above this value the cronjob will start deleting them
threshold: 10000
# -- Cronjob history
history:
success: 1
failure: 1
# -- Security context for the pod
podSecurityContext: {}
# -- Security context for the containers
securityContext:
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
# -- Job resources
resources: {}
# -- List of node taints to tolerate
tolerations: []
# -- Node labels for pod assignment
nodeSelector: {}
# -- Pod Annotations
podAnnotations: {}
# -- Pod Labels
podLabels: {}
# -- Pod anti affinity constraints.
podAntiAffinity: {}
# -- Pod affinity constraints.
podAffinity: {}
# -- Node affinity constraints.
nodeAffinity: {}
# Admission controller configuration
admissionController:
# -- Overrides features defined at the root level
featuresOverride: {}
rbac:
# -- Create RBAC resources
create: true
serviceAccount:
# -- The ServiceAccount name
name:
# -- Annotations for the ServiceAccount
annotations: {}
# example.com/annotation: value
clusterRole:
# -- Extra resource permissions to add in the cluster role
extraResources: []
# - apiGroups:
# - ''
# resources:
# - pods
# verbs:
# - create
# - update
# - delete
# -- Create self-signed certificates at deployment time.
# The certificates won't be automatically renewed if this is set to `true`.
createSelfSignedCert: false
# -- (int) Desired number of pods
replicas: ~
# -- Additional labels to add to each pod
podLabels: {}
# example.com/label: foo
# -- Additional annotations to add to each pod
podAnnotations: {}
# example.com/annotation: foo
# -- Deployment update strategy.
# Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
# @default -- See [values.yaml](values.yaml)
updateStrategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 40%
type: RollingUpdate
# -- Optional priority class
priorityClassName: ''
# -- Change `hostNetwork` to `true` when you want the pod to share its host's network namespace.
# Useful for situations like when you end up dealing with a custom CNI over Amazon EKS.
# Update the `dnsPolicy` accordingly as well to suit the host network mode.
hostNetwork: false
# -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster.
# In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`.
# For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
dnsPolicy: ClusterFirst
# -- Startup probe.
# The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want.
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
# @default -- See [values.yaml](values.yaml)
startupProbe:
httpGet:
path: /health/liveness
port: 9443
scheme: HTTPS
failureThreshold: 20
initialDelaySeconds: 2
periodSeconds: 6
# -- Liveness probe.
# The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want.
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
# @default -- See [values.yaml](values.yaml)
livenessProbe:
httpGet:
path: /health/liveness
port: 9443
scheme: HTTPS
initialDelaySeconds: 15
periodSeconds: 30
timeoutSeconds: 5
failureThreshold: 2
successThreshold: 1
# -- Readiness Probe.
# The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want.
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
# @default -- See [values.yaml](values.yaml)
readinessProbe:
httpGet:
path: /health/readiness
port: 9443
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 6
successThreshold: 1
# -- Node labels for pod assignment
nodeSelector: {}
# -- List of node taints to tolerate
tolerations: []
antiAffinity:
# -- Pod antiAffinities toggle.
# Enabled by default but can be disabled if you want to schedule pods to the same node.
enabled: true
# -- Pod anti affinity constraints.
# @default -- See [values.yaml](values.yaml)
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/component
operator: In
values:
- admission-controller
topologyKey: kubernetes.io/hostname
# -- Pod affinity constraints.
podAffinity: {}
# -- Node affinity constraints.
nodeAffinity: {}
# -- Topology spread constraints.
topologySpreadConstraints: []
# -- Security context for the pod
podSecurityContext: {}
podDisruptionBudget:
# -- Configures the minimum available pods for disruptions.
# Cannot be used if `maxUnavailable` is set.
minAvailable: 1
# -- Configures the maximum unavailable pods for disruptions.
# Cannot be used if `minAvailable` is set.
maxUnavailable:
# -- A writable volume to use for the TUF root initialization.
tufRootMountPath: /.sigstore
# -- Volume to be mounted in pods for TUF/cosign work.
sigstoreVolume:
emptyDir: {}
# -- Image pull secrets
imagePullSecrets: []
# - secretName
initContainer:
image:
# -- Image registry
registry: ghcr.io
# -- Image repository
repository: kyverno/kyvernopre
# -- (string) Image tag
# If missing, defaults to image.tag
tag: ~
# -- (string) Image pull policy
# If missing, defaults to image.pullPolicy
pullPolicy: ~
resources:
# -- Pod resource limits
limits:
cpu: 100m
memory: 256Mi
# -- Pod resource requests
requests:
cpu: 10m
memory: 64Mi
# -- Container security context
securityContext:
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
# -- Additional container args.
extraArgs: {}
# -- Additional container environment variables.
extraEnvVars: []
container:
image:
# -- Image registry
registry: ghcr.io
# -- Image repository
repository: kyverno/kyverno
# -- (string) Image tag
# Defaults to appVersion in Chart.yaml if omitted
tag: ~
# -- Image pull policy
pullPolicy: IfNotPresent
resources:
# -- Pod resource limits
limits:
memory: 384Mi
# -- Pod resource requests
requests:
cpu: 100m
memory: 128Mi
# -- Container security context
securityContext:
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
# -- Additional container args.
extraArgs: {}
# -- Additional container environment variables.
extraEnvVars: []
# -- Array of extra init containers
extraInitContainers: []
# - name: init-container
# image: busybox
# command: ['sh', '-c', 'echo Hello']
# -- Array of extra containers to run alongside kyverno
extraContainers: []
# - name: myapp-container
# image: busybox
# command: ['sh', '-c', 'echo Hello && sleep 3600']
service:
# -- Service port.
port: 443
# -- Service type.
type: ClusterIP
# -- Service node port.
# Only used if `type` is `NodePort`.
nodePort:
# -- Service annotations.
annotations: {}
metricsService:
# -- Create service.
create: true
# -- Service port.
# Kyverno's metrics server will be exposed at this port.
port: 8000
# -- Service type.
type: ClusterIP
# -- Service node port.
# Only used if `type` is `NodePort`.
nodePort:
# -- Service annotations.
annotations: {}
networkPolicy:
# -- When true, use a NetworkPolicy to allow ingress to the webhook
# This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
enabled: false
# -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
ingressFrom: []
serviceMonitor:
# -- Create a `ServiceMonitor` to collect Prometheus metrics.
enabled: false
# -- Additional labels
additionalLabels: {}
# -- (string) Override namespace
namespace: ~
# -- Interval to scrape metrics
interval: 30s
# -- Timeout if metrics can't be retrieved in given time interval
scrapeTimeout: 25s
# -- Is TLS required for endpoint
secure: false
# -- TLS Configuration for endpoint
tlsConfig: {}
# -- RelabelConfigs to apply to samples before scraping
relabelings: []
# -- MetricRelabelConfigs to apply to samples before ingestion.
metricRelabelings: []
tracing:
# -- Enable tracing
enabled: false
# -- Traces receiver address
address:
# -- Traces receiver port
port:
# -- Traces receiver credentials
creds: ''
metering:
# -- Disable metrics export
disabled: false
# -- Otel configuration, can be `prometheus` or `grpc`
config: prometheus
# -- Prometheus endpoint port
port: 8000
# -- Otel collector endpoint
collector: ''
# -- Otel collector credentials
creds: ''
# Background controller configuration
backgroundController:
# -- Overrides features defined at the root level
featuresOverride: {}
# -- Enable background controller.
enabled: true
rbac:
# -- Create RBAC resources
create: true
serviceAccount:
# -- Service account name
name:
# -- Annotations for the ServiceAccount
annotations: {}
# example.com/annotation: value
clusterRole:
# -- Extra resource permissions to add in the cluster role
extraResources: []
# - apiGroups:
# - ''
# resources:
# - pods
# verbs:
# - create
# - update
# - delete
# - patch
image:
# -- Image registry
registry: ghcr.io
# -- Image repository
repository: kyverno/background-controller
# -- Image tag
# Defaults to appVersion in Chart.yaml if omitted
tag: # replaced in e2e tests
# -- Image pull policy
pullPolicy: IfNotPresent
# -- Image pull secrets
imagePullSecrets: []
# - secretName
# -- (int) Desired number of pods
replicas: ~
# -- Additional labels to add to each pod
podLabels: {}
# example.com/label: foo
# -- Additional annotations to add to each pod
podAnnotations: {}
# example.com/annotation: foo
# -- Deployment update strategy.
# Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
# @default -- See [values.yaml](values.yaml)
updateStrategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 40%
type: RollingUpdate
# -- Optional priority class
priorityClassName: ''
# -- Change `hostNetwork` to `true` when you want the pod to share its host's network namespace.
# Useful for situations like when you end up dealing with a custom CNI over Amazon EKS.
# Update the `dnsPolicy` accordingly as well to suit the host network mode.
hostNetwork: false
# -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster.
# In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`.
# For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
dnsPolicy: ClusterFirst
# -- Extra arguments passed to the container on the command line
extraArgs: {}
# -- Additional container environment variables.
extraEnvVars: []
resources:
# -- Pod resource limits
limits:
memory: 128Mi
# -- Pod resource requests
requests:
cpu: 100m
memory: 64Mi
# -- Node labels for pod assignment
nodeSelector: {}
# -- List of node taints to tolerate
tolerations: []
antiAffinity:
# -- Pod antiAffinities toggle.
# Enabled by default but can be disabled if you want to schedule pods to the same node.
enabled: true
# -- Pod anti affinity constraints.
# @default -- See [values.yaml](values.yaml)
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/component
operator: In
values:
- background-controller
topologyKey: kubernetes.io/hostname
# -- Pod affinity constraints.
podAffinity: {}
# -- Node affinity constraints.
nodeAffinity: {}
# -- Topology spread constraints.
topologySpreadConstraints: []
# -- Security context for the pod
podSecurityContext: {}
# -- Security context for the containers
securityContext:
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
podDisruptionBudget:
# -- Configures the minimum available pods for disruptions.
# Cannot be used if `maxUnavailable` is set.
minAvailable: 1
# -- Configures the maximum unavailable pods for disruptions.
# Cannot be used if `minAvailable` is set.
maxUnavailable:
metricsService:
# -- Create service.
create: true
# -- Service port.
# Metrics server will be exposed at this port.
port: 8000
# -- Service type.
type: ClusterIP
# -- Service node port.
# Only used if `metricsService.type` is `NodePort`.
nodePort:
# -- Service annotations.
annotations: {}
networkPolicy:
# -- When true, use a NetworkPolicy to allow ingress to the webhook
# This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
enabled: false
# -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
ingressFrom: []
serviceMonitor:
# -- Create a `ServiceMonitor` to collect Prometheus metrics.
enabled: false
# -- Additional labels
additionalLabels: {}
# -- (string) Override namespace
namespace: ~
# -- Interval to scrape metrics
interval: 30s
# -- Timeout if metrics can't be retrieved in given time interval
scrapeTimeout: 25s
# -- Is TLS required for endpoint
secure: false
# -- TLS Configuration for endpoint
tlsConfig: {}
# -- RelabelConfigs to apply to samples before scraping
relabelings: []
# -- MetricRelabelConfigs to apply to samples before ingestion.
metricRelabelings: []
tracing:
# -- Enable tracing
enabled: false
# -- Traces receiver address
address:
# -- Traces receiver port
port:
# -- Traces receiver credentials
creds: ''
metering:
# -- Disable metrics export
disabled: false
# -- Otel configuration, can be `prometheus` or `grpc`
config: prometheus
# -- Prometheus endpoint port
port: 8000
# -- Otel collector endpoint
collector: ''
# -- Otel collector credentials
creds: ''
# Cleanup controller configuration
cleanupController:
# -- Overrides features defined at the root level
featuresOverride: {}
# -- Enable cleanup controller.
enabled: true
rbac:
# -- Create RBAC resources
create: true
serviceAccount:
# -- Service account name
name:
# -- Annotations for the ServiceAccount
annotations: {}
# example.com/annotation: value
clusterRole:
# -- Extra resource permissions to add in the cluster role
extraResources: []
# - apiGroups:
# - ''
# resources:
# - pods
# -- Create self-signed certificates at deployment time.
# The certificates won't be automatically renewed if this is set to `true`.
createSelfSignedCert: false
image:
# -- Image registry
registry: ghcr.io
# -- Image repository
repository: kyverno/cleanup-controller
# -- (string) Image tag
# Defaults to appVersion in Chart.yaml if omitted
tag: ~
# -- Image pull policy
pullPolicy: IfNotPresent
# -- Image pull secrets
imagePullSecrets: []
# - secretName
# -- (int) Desired number of pods
replicas: ~
# -- Additional labels to add to each pod
podLabels: {}
# example.com/label: foo
# -- Additional annotations to add to each pod
podAnnotations: {}
# example.com/annotation: foo
# -- Deployment update strategy.
# Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
# @default -- See [values.yaml](values.yaml)
updateStrategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 40%
type: RollingUpdate
# -- Optional priority class
priorityClassName: ''
# -- Change `hostNetwork` to `true` when you want the pod to share its host's network namespace.
# Useful for situations like when you end up dealing with a custom CNI over Amazon EKS.
# Update the `dnsPolicy` accordingly as well to suit the host network mode.
hostNetwork: false
# -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster.
# In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`.
# For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
dnsPolicy: ClusterFirst
# -- Extra arguments passed to the container on the command line
extraArgs: {}
# -- Additional container environment variables.
extraEnvVars: []
resources:
# -- Pod resource limits
limits:
memory: 128Mi
# -- Pod resource requests
requests:
cpu: 100m
memory: 64Mi
# -- Startup probe.
# The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want.
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
# @default -- See [values.yaml](values.yaml)
startupProbe:
httpGet:
path: /health/liveness
port: 9443
scheme: HTTPS
failureThreshold: 20
initialDelaySeconds: 2
periodSeconds: 6
# -- Liveness probe.
# The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want.
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
# @default -- See [values.yaml](values.yaml)
livenessProbe:
httpGet:
path: /health/liveness
port: 9443
scheme: HTTPS
initialDelaySeconds: 15
periodSeconds: 30
timeoutSeconds: 5
failureThreshold: 2
successThreshold: 1
# -- Readiness Probe.
# The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want.
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
# @default -- See [values.yaml](values.yaml)
readinessProbe:
httpGet:
path: /health/readiness
port: 9443
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 6
successThreshold: 1
# -- Node labels for pod assignment
nodeSelector: {}
# -- List of node taints to tolerate
tolerations: []
antiAffinity:
# -- Pod antiAffinities toggle.
# Enabled by default but can be disabled if you want to schedule pods to the same node.
enabled: true
# -- Pod anti affinity constraints.
# @default -- See [values.yaml](values.yaml)
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/component
operator: In
values:
- cleanup-controller
topologyKey: kubernetes.io/hostname
# -- Pod affinity constraints.
podAffinity: {}
# -- Node affinity constraints.
nodeAffinity: {}
# -- Topology spread constraints.
topologySpreadConstraints: []
# -- Security context for the pod
podSecurityContext: {}
# -- Security context for the containers
securityContext:
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
podDisruptionBudget:
# -- Configures the minimum available pods for disruptions.
# Cannot be used if `maxUnavailable` is set.
minAvailable: 1
# -- Configures the maximum unavailable pods for disruptions.
# Cannot be used if `minAvailable` is set.
maxUnavailable:
service:
# -- Service port.
port: 443
# -- Service type.
type: ClusterIP
# -- Service node port.
# Only used if `service.type` is `NodePort`.
nodePort:
# -- Service annotations.
annotations: {}
metricsService:
# -- Create service.
create: true
# -- Service port.
# Metrics server will be exposed at this port.
port: 8000
# -- Service type.
type: ClusterIP
# -- Service node port.
# Only used if `metricsService.type` is `NodePort`.
nodePort:
# -- Service annotations.
annotations: {}
networkPolicy:
# -- When true, use a NetworkPolicy to allow ingress to the webhook
# This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
enabled: false
# -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
ingressFrom: []
serviceMonitor:
# -- Create a `ServiceMonitor` to collect Prometheus metrics.
enabled: false
# -- Additional labels
additionalLabels: {}
# -- (string) Override namespace
namespace: ~
# -- Interval to scrape metrics
interval: 30s
# -- Timeout if metrics can't be retrieved in given time interval
scrapeTimeout: 25s
# -- Is TLS required for endpoint
secure: false
# -- TLS Configuration for endpoint
tlsConfig: {}
# -- RelabelConfigs to apply to samples before scraping
relabelings: []
# -- MetricRelabelConfigs to apply to samples before ingestion.
metricRelabelings: []
tracing:
# -- Enable tracing
enabled: false
# -- Traces receiver address
address:
# -- Traces receiver port
port:
# -- Traces receiver credentials
creds: ''
metering:
# -- Disable metrics export
disabled: false
# -- Otel configuration, can be `prometheus` or `grpc`
config: prometheus
# -- Prometheus endpoint port
port: 8000
# -- Otel collector endpoint
collector: ''
# -- Otel collector credentials
creds: ''
# Reports controller configuration
reportsController:
# -- Overrides features defined at the root level
featuresOverride: {}
# -- Enable reports controller.
enabled: true
rbac:
# -- Create RBAC resources
create: true
serviceAccount:
# -- Service account name
name:
# -- Annotations for the ServiceAccount
annotations: {}
# example.com/annotation: value
clusterRole:
# -- Extra resource permissions to add in the cluster role
extraResources: []
# - apiGroups:
# - ''
# resources:
# - pods
image:
# -- Image registry
registry: ghcr.io
# -- Image repository
repository: kyverno/reports-controller
# -- (string) Image tag
# Defaults to appVersion in Chart.yaml if omitted
tag: ~
# -- Image pull policy
pullPolicy: IfNotPresent
# -- Image pull secrets
imagePullSecrets: []
# - secretName
# -- (int) Desired number of pods
replicas: ~
# -- Additional labels to add to each pod
podLabels: {}
# example.com/label: foo
# -- Additional annotations to add to each pod
podAnnotations: {}
# example.com/annotation: foo
# -- Deployment update strategy.
# Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
# @default -- See [values.yaml](values.yaml)
updateStrategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 40%
type: RollingUpdate
# -- Optional priority class
priorityClassName: ''
# -- Change `hostNetwork` to `true` when you want the pod to share its host's network namespace.
# Useful for situations like when you end up dealing with a custom CNI over Amazon EKS.
# Update the `dnsPolicy` accordingly as well to suit the host network mode.
hostNetwork: false
# -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster.
# In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`.
# For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
dnsPolicy: ClusterFirst
# -- Extra arguments passed to the container on the command line
extraArgs: {}
# -- Additional container environment variables.
extraEnvVars: []
resources:
# -- Pod resource limits
limits:
memory: 128Mi
# -- Pod resource requests
requests:
cpu: 100m
memory: 64Mi
# -- Node labels for pod assignment
nodeSelector: {}
# -- List of node taints to tolerate
tolerations: []
antiAffinity:
# -- Pod antiAffinities toggle.
# Enabled by default but can be disabled if you want to schedule pods to the same node.
enabled: true
# -- Pod anti affinity constraints.
# @default -- See [values.yaml](values.yaml)
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/component
operator: In
values:
- reports-controller
topologyKey: kubernetes.io/hostname
# -- Pod affinity constraints.
podAffinity: {}
# -- Node affinity constraints.
nodeAffinity: {}
# -- Topology spread constraints.
topologySpreadConstraints: []
# -- Security context for the pod
podSecurityContext: {}
# -- Security context for the containers
securityContext:
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
podDisruptionBudget:
# -- Configures the minimum available pods for disruptions.
# Cannot be used if `maxUnavailable` is set.
minAvailable: 1
# -- Configures the maximum unavailable pods for disruptions.
# Cannot be used if `minAvailable` is set.
maxUnavailable:
# -- A writable volume to use for the TUF root initialization.
tufRootMountPath: /.sigstore
# -- Volume to be mounted in pods for TUF/cosign work.
sigstoreVolume:
emptyDir: {}
metricsService:
# -- Create service.
create: true
# -- Service port.
# Metrics server will be exposed at this port.
port: 8000
# -- Service type.
type: ClusterIP
# -- (string) Service node port.
# Only used if `type` is `NodePort`.
nodePort: ~
# -- Service annotations.
annotations: {}
networkPolicy:
# -- When true, use a NetworkPolicy to allow ingress to the webhook
# This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
enabled: false
# -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
ingressFrom: []
serviceMonitor:
# -- Create a `ServiceMonitor` to collect Prometheus metrics.
enabled: false
# -- Additional labels
additionalLabels: {}
# -- (string) Override namespace
namespace: ~
# -- Interval to scrape metrics
interval: 30s
# -- Timeout if metrics can't be retrieved in given time interval
scrapeTimeout: 25s
# -- Is TLS required for endpoint
secure: false
# -- TLS Configuration for endpoint
tlsConfig: {}
# -- RelabelConfigs to apply to samples before scraping
relabelings: []
# -- MetricRelabelConfigs to apply to samples before ingestion.
metricRelabelings: []
tracing:
# -- Enable tracing
enabled: false
# -- (string) Traces receiver address
address: ~
# -- (string) Traces receiver port
port: ~
# -- (string) Traces receiver credentials
creds: ~
metering:
# -- Disable metrics export
disabled: false
# -- Otel configuration, can be `prometheus` or `grpc`
config: prometheus
# -- Prometheus endpoint port
port: 8000
# -- (string) Otel collector endpoint
collector: ~
# -- (string) Otel collector credentials
creds: ~
Подключение модуля Policy Reporter
Описание Yaml
Внимание!
Values без описания (1) являются продвинутыми настройками и редактировать их не рекомендовано
- Описание
apiVersion: addon.bootsman.tech/v1alpha1
kind: Config
metadata:
name: CLUSTER_NAME-policy-reporter
namespace: CLUSTER_NAMESPACE
spec:
enabled: true (1)
values:
image:
registry: harbor.bootsman.host/bootsman-nimbus/common-artifacts
repository: policy-reporter
kyvernoPlugin:
enabled: true
image:
registry: harbor.bootsman.host/bootsman-nimbus/common-artifacts
repository: policy-reporter-kyverno-plugin
ui:
enabled: true
image:
registry: harbor.bootsman.host/bootsman-nimbus/common-artifacts
repository: policy-reporter-ui
plugins:
kyverno: true
- True - включено.
False - выключено
Настройка в UI
Все Values
Продвинутые настройки
Ниже представлены тонкие настройки модуля.
Используйте их для расширения конфигурации модуля, если потребуется.
Документация
Более полная документация по модулю:
Policy Reporter Cloud
Policy Reporter Chart
Policy reporter Values
values:
# Override the chart name used for all resources
nameOverride: ""
image:
registry: harbor.bootsman.host/bootsman-nimbus/common-artifacts
repository: policy-reporter
pullPolicy: IfNotPresent
tag: 2.15.2
imagePullSecrets: []
priorityClassName: ""
replicaCount: 1
deploymentStrategy: {}
# rollingUpdate:
# maxSurge: 25%
# maxUnavailable: 25%
# type: RollingUpdate
# When using a custom port together with the PolicyReporter UI
# the port has also to be changed in the UI subchart as well because it can't access the parent values.
# You can change the port under `ui.policyReporter.port`
port:
name: http
number: 8080
# Key/value pairs that are attached to all resources.
annotations: {}
# Create cluster role policies
rbac:
enabled: true
serviceAccount:
# Specifies whether a service account should be created
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
service:
enabled: true
## configuration of service
# key/value
annotations: {}
# key/value
labels: {}
type: ClusterIP
# integer number. This is port for service
port: 8080
podSecurityContext:
fsGroup: 1234
securityContext:
runAsUser: 1234
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
# Key/value pairs that are attached to pods.
podAnnotations: {}
# Key/value pairs that are attached to pods.
podLabels: {}
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# memory: 100Mi
# cpu: 10m
# requests:
# memory: 75Mi
# cpu: 5m
# Enable a NetworkPolicy for this chart. Useful on clusters where Network Policies are
# used and configured in a default-deny fashion.
networkPolicy:
enabled: false
# Kubernetes API Server
egress:
- to:
ports:
- protocol: TCP
port: 6443
ingress: []
## Set to true to enable ingress record generation
# ref to: https://kubernetes.io/docs/concepts/services-networking/ingress/
ingress:
enabled: false
className: ""
# key/value
labels: {}
# key/value
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: chart-example.local
paths: []
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
logging:
encoding: console # possible encodings are console and json
logLevel: 0 # default info
development: false # more human readable structure, enables stacktraces and removes log sampling
api:
logging: false # enable debug API access logging, sets logLevel to debug
# REST API
rest:
enabled: false
# Prometheus Metrics API
metrics:
enabled: false
mode: detailed # available modes are detailed, simple and custom
customLabels: [] # only used for custom mode. Supported fields are: ["namespace", "rule", "policy", "report" // PolicyReport name, "kind" // resource kind, "name" // resource name, "status", "severity", "category", "source"]
# filter:
# sources:
# exclude: ["Trivy CIS Kube Bench"]
# status:
# exclude: ["pass", "skip"]
profiling:
enabled: false
# amount of queue workers for PolicyReport resource processing
worker: 5
# Filter PolicyReport resources to process
reportFilter:
namespaces:
# Process only PolicyReport resources from an included namespace, wildcards are supported
include: []
# Ignore all PolicyReport resources from a excluded namespace, wildcards are supported
# exclude will be ignored if an include filter exists
exclude: []
clusterReports:
# Disable the processing of ClusterPolicyReports
disabled: false
# enable policy-report-ui
ui:
enabled: true
image:
registry: harbor.bootsman.host/bootsman-nimbus/common-artifacts
repository: policy-reporter-ui
plugins:
kyverno: true
kyvernoPlugin:
enabled: false
image:
registry: harbor.bootsman.host/bootsman-nimbus/common-artifacts
repository: policy-reporter-kyverno-plugin
# Settings for the monitoring subchart
monitoring:
enabled: false
database:
# Database Type, supported: mysql, postgres, mariadb
type: ""
database: "" # Database Name
username: ""
password: ""
host: ""
enableSSL: false
# instead of configure the individual values you can also provide an DSN string
# example postgres: postgres://postgres:password@localhost:5432/postgres?sslmode=disable
# example mysql: root:password@tcp(localhost:3306)/test?tls=false
dsn: ""
# configure an existing secret as source for your values
# supported fields: username, password, host, dsn, database
secretRef: ""
# use an mounted secret as source for your values, required the information in JSON format
# supported fields: username, password, host, dsn, database
mountedSecret: ""
global:
# available plugins
plugins:
# enable kyverno for Policy Reporter UI and monitoring
kyverno: false
# The name of service policy-report. Defaults to ReleaseName.
backend: ""
# overwrite the fullname of all resources including subcharts
fullnameOverride: ""
# configure the namespace of all resources including subcharts
namespace: ""
# additional labels added on each resource
labels: {}
# configure mappings from policy to priority
# you can use default to configure a default priority for fail results
# example mapping
# default: warning
# require-ns-labels: error
policyPriorities: {}
emailReports:
clusterName: "" # (optional) - displayed in the email report if configured
smtp:
secret: "" # (optional) secret name to provide the complete or partial SMTP configuration
host: ""
port: 465
username: ""
password: ""
from: "" # displayed from email address
encryption: "" # default is none, supports ssl/tls and starttls
# basic summary report
summary:
enabled: false
schedule: "0 8 * * *" # CronJob schedule defines when the report will be send
activeDeadlineSeconds: 300 # timeout in seconds
backoffLimit: 3 # retry counter
ttlSecondsAfterFinished: 0
restartPolicy: Never # pod restart policy
to: [] # list of receiver email addresses
filter: {} # optional filters
# disableClusterReports: false # remove ClusterPolicyResults from Reports
# namespaces:
# include: []
# exclude: []
# sources:
# include: []
# exclude: []
channels: [] # (optional) channels can be used to to send only a subset of namespaces / sources to dedicated email addresses channels: [] # (optional) channels can be used to to send only a subset of namespaces / sources to dedicated email addresses
# - to: ['team-a@company.org']
# filter:
# disableClusterReports: true
# namespaces:
# include: ['team-a-*']
# sources:
# include: ['Kyverno']
# violation summary report
violations:
enabled: false
schedule: "0 8 * * *" # CronJob schedule defines when the report will be send
activeDeadlineSeconds: 300 # timeout in seconds
backoffLimit: 3 # retry counter
ttlSecondsAfterFinished: 0
restartPolicy: Never # pod restart policy
to: [] # list of receiver email addresses
filter: {} # optional filters
# disableClusterReports: false # remove ClusterPolicyResults from Reports
# namespaces:
# include: []
# exclude: []
# sources:
# include: []
# exclude: []
channels: [] # (optional) channels can be used to to send only a subset of namespaces / sources to dedicated email addresses channels: [] # (optional) channels can be used to to send only a subset of namespaces / sources to dedicated email addresses
# - to: ['team-a@company.org']
# filter:
# disableClusterReports: true
# namespaces:
# include: ['team-a-*']
# sources:
# include: ['Kyverno']
# Reference a configuration which already exists instead of creating one
existingTargetConfig:
enabled: false
# Name of the secret with the config
name: ""
# subPath within the secret (defaults to config.yaml)
subPath: ""
# Supported targets for new PolicyReport Results
target:
loki:
# loki host address
host: ""
# path to your custom certificate
# can be added under extraVolumes
certificate: ""
# skip TLS verification if necessary
skipTLS: false
# receive the host from an existing secret instead
secretRef: ""
# Mounted secret path by Secrets Controller, secret should be in json format
mountedSecret: ""
# loki api path, defaults to "/api/prom/push" (deprecated)
path: ""
# minimum priority "" < info < warning < critical < error
minimumPriority: ""
# list of sources which should send to loki
sources: []
# Skip already existing PolicyReportResults on startup
skipExistingOnStartup: true
# Added as additional labels to each Loki event
customLabels: {}
# Filter Results which should send to this target by report labels, namespaces, priorities or policies
# Wildcars for namespaces and policies are supported, you can either define exclude or include values
# Filters are available for all targets except the UI
filter: {}
# namespaces:
# include: ["develop"]
# priorities:
# exclude: ["debug", "info", "error"]
# labels:
# include: ["app", "owner:team-a", "monitoring:*"]
channels: []
# - host: "http://loki.loki-stack:3100"
# sources: []
# customLabels: {}
# filter:
# namespaces:
# include: ["develop"]
# priorities:
# exclude: ["debug", "info", "error"]
# reportLabels:
# . include: ["app", "owner:team-b"]
elasticsearch:
# elasticsearch host address
host: ""
# path to your custom certificate
# can be added under extraVolumes
certificate: ""
# skip TLS verification if necessary
skipTLS: false
# elasticsearch index (default: policy-reporter)
index: ""
# elasticsearch username für HTTP Basic Auth
username: ""
# elasticsearch password für HTTP Basic Auth
password: ""
# receive the host, username and/or password from an existing secret instead
secretRef: ""
# Mounted secret path by Secrets Controller, secret should be in json format
mountedSecret: ""
# elasticsearch index rotation and index suffix
# possible values: daily, monthly, annually, none (default: daily)
rotation: ""
# minimum priority "" < info < warning < critical < error
minimumPriority: ""
# list of sources which should send to elasticsearch
sources: []
# Skip already existing PolicyReportResults on startup
skipExistingOnStartup: true
# Added as additional properties to each elasticsearch event
customFields: {}
# filter results send by namespaces, policies and priorities
filter: {}
# add additional elasticsearch channels with different configurations and filters
channels: []
slack:
# slack app webhook address
webhook: ""
# slack channel
channel: ""
# receive the webhook from an existing secret instead
secretRef: ""
# Mounted secret path by Secrets Controller, secret should be in json format
mountedSecret: ""
# minimum priority "" < info < warning < critical < error
minimumPriority: ""
# list of sources which should send to slack
sources: []
# Skip already existing PolicyReportResults on startup
skipExistingOnStartup: true
# Added as additional fields to each Slack event
customFields: {}
# filter results send by namespaces, policies and priorities
filter: {}
# add additional slack channels with different configurations and filters
channels: []
# - webhook: "https://slack.webhook1"
# channel: ""
# filter:
# namespaces:
# include: ["develop"]
# priorities:
# exclude: ["debug", "info", "error"]
# policies:
# include: ["require-run-as-nonroot"]
# reportLabels:
# . include: ["app", "owner:team-b"]
# - webhook: "https://slack.webhook2"
# minimumPriority: "warning"
# filter:
# namespaces:
# include: ["team-a-*"]
discord:
# discord app webhook address
webhook: ""
# receive the webhook from an existing secret instead
secretRef: ""
# Mounted secret path by Secrets Controller, secret should be in json format
mountedSecret: ""
# minimum priority "" < info < warning < critical < error
minimumPriority: ""
# list of sources which should send to discord
sources: []
# Skip already existing PolicyReportResults on startup
skipExistingOnStartup: true
# filter results send by namespaces, policies and priorities
filter: {}
# add additional discord channels with different configurations and filters
channels: []
teams:
# teams webhook address
webhook: ""
# receive the webhook from an existing secret instead
secretRef: ""
# Mounted secret path by Secrets Controller, secret should be in json format
mountedSecret: ""
# path to your custom certificate
# can be added under extraVolumes
certificate: ""
# skip TLS verification if necessary
skipTLS: false
# minimum priority "" < info < warning < critical < error
minimumPriority: ""
# list of sources which should send to teams
sources: []
# Skip already existing PolicyReportResults on startup
skipExistingOnStartup: true
# filter results send by namespaces, policies and priorities
filter: {}
# add additional teams channels with different configurations and filters
channels: []
ui:
# ui host address
host: ""
# path to your custom certificate
# can be added under extraVolumes
certificate: ""
# skip TLS verification if necessary
skipTLS: false
# minimum priority "" < info < warning < critical < error
minimumPriority: "warning"
# list of sources which should send to the UI Log
sources: []
# Skip already existing PolicyReportResults on startup
skipExistingOnStartup: true
webhook:
# webhook host address
host: ""
# path to your custom certificate
# can be added under extraVolumes
certificate: ""
# skip TLS verification if necessary
skipTLS: false
# receive the host and/or token from an existing secret, the token is added as Authorization header
secretRef: ""
# Mounted secret path by Secrets Controller, secret should be in json format
mountedSecret: ""
# additional http headers
headers: {}
# minimum priority "" < info < warning < critical < error
minimumPriority: ""
# list of sources which should send to the UI Log
sources: []
# Skip already existing PolicyReportResults on startup
skipExistingOnStartup: true
# Added as additional properties to each webhook event
customFields: {}
# filter results send by namespaces, policies and priorities
filter: {}
# add additional webhook channels with different configurations and filters
channels: []
s3:
# S3 access key
accessKeyID: ""
# S3 secret access key
secretAccessKey: ""
# receive the accessKeyID and/or secretAccessKey from an existing secret instead
secretRef: ""
# Mounted secret path by Secrets Controller, secret should be in json format
mountedSecret: ""
# S3 storage region
region: ""
# S3 storage endpoint
endpoint: ""
# S3 storage, bucket name
bucket: ""
# S3 storage to use an S3 Bucket Key for object encryption with SSE-KMS
bucketKeyEnabled: false
# S3 storage KMS Key ID for object encryption with SSE-KMS
kmsKeyId: ""
# S3 storage server-side encryption algorithm used when storing this object in Amazon S3, AES256, aws:kms
serverSideEncryption: ""
# S3 storage, force path style configuration
pathStyle: false
# name of prefix, keys will have format: s3://<bucket>/<prefix>/YYYY-MM-DD/YYYY-MM-DDTHH:mm:ss.s+01:00.json
prefix: ""
# minimum priority "" < info < warning < critical < error
minimumPriority: ""
# list of sources which should send to S3
sources: []
# Skip already existing PolicyReportResults on startup
skipExistingOnStartup: true
# Added as additional properties to each s3 event
customFields: {}
# filter results send by namespaces, policies and priorities
filter: {}
# add additional s3 channels with different configurations and filters
channels: []
kinesis:
# AWS access key
accessKeyID: ""
# AWS secret access key
secretAccessKey: ""
# receive the accessKeyID and/or secretAccessKey from an existing secret instead
secretRef: ""
# Mounted secret path by Secrets Controller, secret should be in json format
mountedSecret: ""
# AWS region
region: ""
# AWS Kinesis endpoint
endpoint: ""
# AWS Kinesis stream name
streamName: ""
# minimum priority "" < info < warning < critical < error
minimumPriority: ""
# list of sources which should send to S3
sources: []
# Skip already existing PolicyReportResults on startup
skipExistingOnStartup: true
# Added as additional properties to each kinesis event
customFields: {}
# filter results send by namespaces, policies and priorities
filter: {}
# add additional s3 channels with different configurations and filters
channels: []
securityHub:
# AWS access key
accessKeyID: ""
# AWS secret access key
secretAccessKey: ""
# receive the accessKeyID and/or secretAccessKey from an existing secret instead
secretRef: ""
# Mounted secret path by Secrets Controller, secret should be in json format
mountedSecret: ""
# AWS region
region: ""
# AWS SecurityHub endpoint (optional)
endpoint: ""
# AWS accountID
accountID: ""
# minimum priority "" < info < warning < critical < error
minimumPriority: ""
# list of sources which should send to S3
sources: []
# Skip already existing PolicyReportResults on startup
skipExistingOnStartup: true
# Added as additional properties to each securityHub event
customFields: {}
# filter results send by namespaces, policies and priorities
filter: {}
# add additional s3 channels with different configurations and filters
channels: []
gcs:
# GCS (Google Cloud Storage) Service Accout Credentials
credentials: ""
# receive the credentials from an existing secret instead
secretRef: ""
# Mounted secret path by Secrets Controller, secret should be in json format
mountedSecret: ""
# GCS Bucket
bucket: ""
# minimum priority "" < info < warning < critical < error
minimumPriority: ""
# list of sources which should send to GCS
sources: []
# Skip already existing PolicyReportResults on startup
skipExistingOnStartup: true
# Added as additional properties to each gcs event
customFields: {}
# filter results send by namespaces, policies and priorities
filter: {}
# add additional s3 channels with different configurations and filters
channels: []
# required when policy-reporter runs in HA mode and you have targets configured
# if no targets are configured, leaderElection is disabled automatically
# will be enabled when replicaCount > 1
leaderElection:
enabled: false
releaseOnCancel: true
leaseDuration: 15
renewDeadline: 10
retryPeriod: 2
# use redis as external result cache instead of the in memory cache
redis:
enabled: false
address: ""
database: 0
prefix: "policy-reporter"
username: ""
password: ""
# enabled if replicaCount > 1
podDisruptionBudget:
# -- Configures the minimum available pods for policy-reporter disruptions.
# Cannot be used if `maxUnavailable` is set.
minAvailable: 1
# -- Configures the maximum unavailable pods for policy-reporter disruptions.
# Cannot be used if `minAvailable` is set.
maxUnavailable:
# Node labels for pod assignment
# ref: https://kubernetes.io/docs/user-guide/node-selection/
nodeSelector: {}
# Tolerations for pod assignment
# ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tolerations: []
# Anti-affinity to disallow deploying client and master nodes on the same worker node
affinity: {}
# Topology Spread Constraints to better spread pods
topologySpreadConstraints: []
# livenessProbe for policy-reporter
livenessProbe:
httpGet:
path: /ready
port: http
# readinessProbe for policy-reporter
readinessProbe:
httpGet:
path: /healthz
port: http
extraVolumes:
volumeMounts: []
volumes: []
# If set the volume for sqlite is freely configurable below "- name: sqlite". If no value is set an emptyDir is used.
sqliteVolume: {}
# emptyDir:
# sizeLimit: 10Mi