2023-11-16 04:32:38 -05:00
# -- Policy kind (`ClusterPolicy`, `Policy`)
# Set to `Policy` if you need namespaced policies and not cluster policies
policyKind : ClusterPolicy
2022-02-25 17:22:00 +01:00
# -- Pod Security Standard profile (`baseline`, `restricted`, `privileged`, `custom`).
# For more info https://kyverno.io/policies/pod-security.
2021-09-22 16:56:10 -04:00
podSecurityStandard : baseline
2022-02-25 17:22:00 +01:00
# -- Pod Security Standard (`low`, `medium`, `high`).
2021-09-22 16:56:10 -04:00
podSecuritySeverity : medium
2022-02-25 17:22:00 +01:00
# -- Policies to include when `podSecurityStandard` is `custom`.
2021-09-22 16:56:10 -04:00
podSecurityPolicies : [ ]
2022-02-25 17:22:00 +01:00
# -- Additional policies to include from `other`.
2022-02-04 01:47:36 -05:00
includeOtherPolicies : [ ]
2022-02-25 17:22:00 +01:00
# - require-non-root-groups
2022-08-29 19:45:29 +02:00
# -- Additional policies to include from `restricted`.
includeRestrictedPolicies : [ ]
# - require-run-as-non-root-user
2024-05-29 18:24:36 +02:00
# -- Additional custom policies to include.
customPolicies : [ ]
# - apiVersion: kyverno.io/v1
# kind: ClusterPolicy
# metadata: # metadata
# spec: # spec
2022-08-25 17:29:20 +02:00
# -- API server behavior if the webhook fails to respond ('Ignore', 'Fail')
# For more info: https://kyverno.io/docs/writing-policies/policy-settings/
failurePolicy : Fail
2023-06-05 16:58:19 +08:00
# -- Validation failure action (`Audit`, `Enforce`).
2022-02-25 17:22:00 +01:00
# For more info https://kyverno.io/docs/writing-policies/validate.
2023-06-05 16:58:19 +08:00
validationFailureAction : Audit
2022-02-25 17:22:00 +01:00
2022-08-25 17:29:20 +02:00
# -- Define validationFailureActionByPolicy for specific policies.
# Override the defined `validationFailureAction` with a individual validationFailureAction for individual Policies.
validationFailureActionByPolicy : {}
# disallow-capabilities-strict: enforce
# disallow-host-path: enforce
# disallow-host-ports: enforce
2022-08-09 17:12:27 -04:00
2022-02-25 17:22:00 +01:00
# -- Define validationFailureActionOverrides for specific policies.
# The overrides for `all` will apply to all policies.
2022-02-09 03:24:35 -05:00
validationFailureActionOverrides :
all : [ ]
2022-02-25 17:22:00 +01:00
# all:
# - action: audit
# namespaces:
# - ingress-nginx
# disallow-host-path:
# - action: audit
# namespaces:
# - fluent
2024-12-02 04:50:26 +01:00
# -- Validate already existing resources.
# For more info https://kyverno.io/docs/writing-policies/validate.
validationAllowExistingViolations : true
2022-02-25 17:22:00 +01:00
# -- Exclude resources from individual policies.
# Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyExclude` map.
2022-02-04 01:47:36 -05:00
policyExclude : {}
2022-02-25 17:22:00 +01:00
# # Exclude resources from individual policies
# disallow-host-path:
# any:
# - resources:
# kinds:
# - Pod
# namespaces:
# - fluent
# # Policies with multiple rules can have individual rules excluded
# adding-capabilities-strict:
# any:
# - resources:
# kinds:
# - Pod
# namespaces:
# - kube-system
2022-04-18 13:59:47 -04:00
# -- Add preconditions to individual policies.
# Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyPreconditions` map.
policyPreconditions : {}
# # Exclude resources from individual policies
# require-run-as-non-root-user:
2022-04-26 23:52:45 -04:00
# all:
2022-04-18 13:59:47 -04:00
# - key: "{{ request.object.metadata.name }}"
# operator: NotEquals
# value: "dcgm-exporter*"
# # Policies with multiple rules can have individual rules excluded
2022-04-26 23:52:45 -04:00
# require-drop-all:
# any:
# - key: "{{ request.object.metadata.name }}"
# operator: NotEquals
# value: "dcgm-exporter*"
2022-04-18 13:59:47 -04:00
# adding-capabilities-strict:
2022-04-26 23:52:45 -04:00
# all:
# - key: "{{ request.object.metadata.name }}"
# operator: NotEquals
# value: "dcgm-exporter*"
2021-09-22 16:56:10 -04:00
2022-12-01 11:05:56 +01:00
# -- Customize the target Pod controllers for the auto-generated rules. (Eg. `none`, `Deployment`, `DaemonSet,Deployment,StatefulSet`)
# For more info https://kyverno.io/docs/writing-policies/autogen/.
autogenControllers : ""
2022-02-25 17:22:00 +01:00
# -- Name override.
2021-09-22 16:56:10 -04:00
nameOverride :
2022-02-25 17:22:00 +01:00
# -- Additional labels.
2021-09-22 16:56:10 -04:00
customLabels : {}
2022-02-25 17:22:00 +01:00
# -- Policies background mode
2022-02-24 17:31:51 +01:00
background : true
2022-09-03 03:41:02 +12:00
2024-01-27 18:42:22 +01:00
# -- (bool) SkipBackgroundRequests bypasses admission requests that are sent by the background controller
skipBackgroundRequests : ~
2022-09-03 03:41:02 +12:00
# -- Kyverno version
# The default of "autodetect" will try to determine the currently installed version from the deployment
kyvernoVersion : autodetect
2024-11-20 11:15:03 +01:00
# -- Kubernetes version override
# Override default value of kubeVersion set by release team taken from Chart.yaml with custom value. Ideally range of versions no more than two prior (ex., 1.28-1.31), must be enclosed in quotes.
kubeVersionOverride :
