kyverno/charts/kyverno/values.yaml

# -- Internal settings used with `helm template` to generate install manifest
# @ignored
templating:
  enabled: false
  debug: false
  version: ~

# -- (string) Override the name of the chart
nameOverride: ~

# -- (string) Override the expanded name of the chart
fullnameOverride: ~

# -- (string) Override the namespace the chart deploys to
namespaceOverride: ~

# CRDs configuration
crds:

  # -- Whether to have Helm install the Kyverno CRDs, if the CRDs are not installed by Helm, they must be added before policies can be created
  install: true

  # -- Additional CRDs annotations
  annotations: {}
    # argocd.argoproj.io/sync-options: Replace=true
    # strategy.spinnaker.io/replace: 'true'

# Configuration
config:

  # -- Create the configmap.
  create: true

  # -- (string) The configmap name (required if `create` is `false`).
  name: ~

  # -- Additional annotations to add to the configmap.
  annotations: {}

  # -- Enable registry mutation for container images. Enabled by default.
  enableDefaultRegistryMutation: true

  # -- The registry hostname used for the image mutation.
  defaultRegistry: docker.io

  # -- Exclude group role
  excludeGroupRole: []

  # -- Exclude username
  excludeUsername: []

  # -- Generate success events.
  generateSuccessEvents: false

  # -- Resource types to be skipped by the Kyverno policy engine.
  # Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list.
  # These are joined together without spaces, run through `tpl`, and the result is set in the config map.
  # @default -- See [values.yaml](values.yaml)
  resourceFilters:
    - '[Event,*,*]'
    - '[*,kube-system,*]'
    - '[*,kube-public,*]'
    - '[*,kube-node-lease,*]'
    - '[Node,*,*]'
    - '[APIService,*,*]'
    - '[TokenReview,*,*]'
    - '[SubjectAccessReview,*,*]'
    - '[SelfSubjectAccessReview,*,*]'
    - '[Binding,*,*]'
    - '[ReplicaSet,*,*]'
    - '[AdmissionReport,*,*]'
    - '[ClusterAdmissionReport,*,*]'
    - '[BackgroundScanReport,*,*]'
    - '[ClusterBackgroundScanReport,*,*]'
    # exclude resources from the chart
    - '[ClusterRole,*,{{ template "kyverno.fullname" . }}:*]'
    - '[ClusterRoleBinding,*,{{ template "kyverno.fullname" . }}:*]'
    - '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceAccountName" . }}]'
    - '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.config.configMapName" . }}]'
    - '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.config.metricsConfigMapName" . }}]'
    - '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}]'
    - '[Job,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-hook-pre-delete]'
    - '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}]'
    - '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}]'
    - '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}:*]'
    - '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}:*]'
    - '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.*]'
    - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}]'
    - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}-metrics]'
    - '[ServiceMonitor,{{ if .Values.serviceMonitor.namespace }}{{ .Values.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.admission-controller.serviceName" . }}-service-monitor]'
    - '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-*]'

  # -- Defines the `namespaceSelector` in the webhook configurations.
  # Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element
  # will be forwarded to the webhook configurations.
  # The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default)
  webhooks: []
    # Exclude namespaces
    # - namespaceSelector:
    #     matchExpressions:
    #     - key: kubernetes.io/metadata.name
    #       operator: NotIn
    #       values:
    #         - kube-system
    #         - kyverno
    # Exclude objects
    # - objectSelector:
    #     matchExpressions:
    #     - key: webhooks.kyverno.io/exclude
    #       operator: DoesNotExist

# Metrics configuration
metricsConfig:

  # -- Create the configmap.
  create: true

  # -- (string) The configmap name (required if `create` is `false`).
  name: ~

  # -- Additional annotations to add to the configmap.
  annotations: {}

  namespaces:

    # -- List of namespaces to capture metrics for.
    include: []

    # -- list of namespaces to NOT capture metrics for.
    exclude: []

  # -- (string) Rate at which metrics should reset so as to clean up the memory footprint of kyverno metrics, if you might be expecting high memory footprint of Kyverno's metrics. Default: 0, no refresh of metrics
  metricsRefreshInterval: ~
    # metricsRefreshInterval: 24h

# -- Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument
imagePullSecrets: {}
  # regcred:
  #   registry: foo.example.com
  #   username: foobar
  #   password: secret
  # regcred2:
  #   registry: bar.example.com
  #   username: barbaz
  #   password: secret2

# -- Existing Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument
existingImagePullSecrets: []
  # - test-registry
  # - other-test-registry

# Tests configuration
test:

  image:
    # -- (string) Image registry
    registry: ~
    # -- Image repository
    repository: busybox
    # -- Image tag
    # Defaults to `latest` if omitted
    tag: '1.35'
    # -- (string) Image pull policy
    # Defaults to image.pullPolicy if omitted
    pullPolicy: ~

  resources:
    # -- Pod resource limits
    limits:
      cpu: 100m
      memory: 256Mi
    # -- Pod resource requests
    requests:
      cpu: 10m
      memory: 64Mi

  # -- Security context for the test containers
  securityContext:
    runAsUser: 65534
    runAsGroup: 65534
    runAsNonRoot: true
    privileged: false
    allowPrivilegeEscalation: false
    readOnlyRootFilesystem: true
    capabilities:
      drop:
        - ALL
    seccompProfile:
      type: RuntimeDefault

# -- Additional labels
customLabels: {}

rbac:
  # -- Create ClusterRoles, ClusterRoleBindings, and ServiceAccount
  create: true
  serviceAccount:
    # -- Create a ServiceAccount
    create: true
    # -- The ServiceAccount name
    name:
    # -- Annotations for the ServiceAccount
    annotations: {}
      # example.com/annotation: value

image:
  # -- Image registry
  registry: ghcr.io
  # -- Image repository
  repository: kyverno/kyverno
  # -- (string) Image tag
  # Defaults to appVersion in Chart.yaml if omitted
  tag: ~
  # -- Image pull policy
  pullPolicy: IfNotPresent
  # -- Image pull secrets
  pullSecrets: []
  # - secretName

initImage:
  # -- Image registry
  registry: ghcr.io
  # -- Image repository
  repository: kyverno/kyvernopre
  # -- (string) Image tag
  # If initImage.tag is missing, defaults to image.tag
  tag: ~
  # -- (string) Image pull policy
  # If initImage.pullPolicy is missing, defaults to image.pullPolicy
  pullPolicy: ~

initContainer:
  # -- Extra arguments to give to the kyvernopre binary.
  extraArgs:
    - --loggingFormat=text

# -- Additional labels to add to each pod
podLabels: {}
  # example.com/label: foo

# -- Additional annotations to add to each pod
podAnnotations: {}
  # example.com/annotation: foo

# -- Security context for the pod
podSecurityContext: {}

# -- Security context for the containers
securityContext:
  runAsNonRoot: true
  privileged: false
  allowPrivilegeEscalation: false
  readOnlyRootFilesystem: true
  capabilities:
    drop:
      - ALL
  seccompProfile:
    type: RuntimeDefault

antiAffinity:
  # -- Pod antiAffinities toggle.
  # Enabled by default but can be disabled if you want to schedule pods to the same node.
  enable: true

# -- Pod anti affinity constraints.
# @default -- See [values.yaml](values.yaml)
podAntiAffinity:
  preferredDuringSchedulingIgnoredDuringExecution:
    - weight: 1
      podAffinityTerm:
        labelSelector:
          matchExpressions:
            - key: app.kubernetes.io/name
              operator: In
              values:
                - '{{ template "kyverno.name" . }}'
        topologyKey: kubernetes.io/hostname

# -- Pod affinity constraints.
podAffinity: {}

# -- Node affinity constraints.
nodeAffinity: {}

# -- Env variables for initContainers.
envVarsInit: {}

# -- Env variables for containers.
envVars: {}

# -- Extra arguments to give to the binary.
extraArgs:
  - --loggingFormat=text

# -- Array of extra init containers
extraInitContainers: []
# Example:
# - name: init-container
#   image: busybox
#   command: ['sh', '-c', 'echo Hello']

# -- Array of extra containers to run alongside kyverno
extraContainers: []
# Example:
# - name: myapp-container
#   image: busybox
#   command: ['sh', '-c', 'echo Hello && sleep 3600']

resources:
  # -- Pod resource limits
  limits:
    memory: 384Mi
  # -- Pod resource requests
  requests:
    cpu: 100m
    memory: 128Mi

initResources:
  # -- Pod resource limits
  limits:
    cpu: 100m
    memory: 256Mi
  # -- Pod resource requests
  requests:
    cpu: 10m
    memory: 64Mi

# -- Startup probe.
# The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want.
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
# @default -- See [values.yaml](values.yaml)
startupProbe:
  httpGet:
    path: /health/liveness
    port: 9443
    scheme: HTTPS
  failureThreshold: 20
  initialDelaySeconds: 2
  periodSeconds: 6

# -- Liveness probe.
# The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want.
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
# @default -- See [values.yaml](values.yaml)
livenessProbe:
  httpGet:
    path: /health/liveness
    port: 9443
    scheme: HTTPS
  initialDelaySeconds: 15
  periodSeconds: 30
  timeoutSeconds: 5
  failureThreshold: 2
  successThreshold: 1

# -- Readiness Probe.
# The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want.
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
# @default -- See [values.yaml](values.yaml)
readinessProbe:
  httpGet:
    path: /health/readiness
    port: 9443
    scheme: HTTPS
  initialDelaySeconds: 5
  periodSeconds: 10
  timeoutSeconds: 5
  failureThreshold: 6
  successThreshold: 1

# -- Additional resources to be added to controller RBAC permissions.
generatecontrollerExtraResources: []
# - ResourceA
# - ResourceB

# -- Exclude Kyverno namespace
# Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters
excludeKyvernoNamespace: true

# -- resourceFilter namespace exclude
# Namespaces to exclude from the default resourceFilters
resourceFiltersExcludeNamespaces: []

service:
  # -- Service port.
  port: 443
  # -- Service type.
  type: ClusterIP
  # -- Service node port.
  # Only used if `service.type` is `NodePort`.
  nodePort:
  # -- Service annotations.
  annotations: {}

metricsService:
  # -- Create service.
  create: true
  # -- Service port.
  # Kyverno's metrics server will be exposed at this port.
  port: 8000
  # -- Service type.
  type: ClusterIP
  # -- Service node port.
  # Only used if `metricsService.type` is `NodePort`.
  nodePort:
  # -- Service annotations.
  annotations: {}

serviceMonitor:
  # -- Create a `ServiceMonitor` to collect Prometheus metrics.
  enabled: false
  # -- Additional labels
  additionalLabels:
    # key: value
  # -- Override namespace (default is the same as kyverno)
  namespace:
  # --  Interval to scrape metrics
  interval: 30s
  # -- Timeout if metrics can't be retrieved in given time interval
  scrapeTimeout: 25s
  # -- Is TLS required for endpoint
  secure: false
  # -- TLS Configuration for endpoint
  tlsConfig: {}

# -- Kyverno requires a certificate key pair and corresponding certificate authority
# to properly register its webhooks. This can be done in one of 3 ways:
# 1) Use kube-controller-manager to generate a CA-signed certificate (preferred)
# 2) Provide your own CA and cert.
#    In this case, you will need to create a certificate with a specific name and data structure.
#    As long as you follow the naming scheme, it will be automatically picked up.
#    kyverno-svc.(namespace).svc.kyverno-tls-ca (with data entries named tls.key and tls.crt)
#    kyverno-svc.kyverno.svc.kyverno-tls-pair (with data entries named tls.key and tls.crt)
# 3) Let Helm generate a self signed cert, by setting createSelfSignedCert true
# If letting Kyverno create its own CA or providing your own, make createSelfSignedCert is false
createSelfSignedCert: false

networkPolicy:
  # -- When true, use a NetworkPolicy to allow ingress to the webhook
  # This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
  enabled: false
  # -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
  ingressFrom: []

webhooksCleanup:
  # -- Create a helm pre-delete hook to cleanup webhooks.
  enabled: false
  # -- `kubectl` image to run commands for deleting webhooks.
  image: bitnami/kubectl:latest

# -- A writable volume to use for the TUF root initialization.
tufRootMountPath: /.sigstore

# -- Volume to be mounted in pods for TUF/cosign work.
sigstoreVolume:
  emptyDir: {}

grafana:
  # -- Enable grafana dashboard creation.
  enabled: false

  # -- Configmap name template.
  configMapName: '{{ include "kyverno.fullname" . }}-grafana'

  # -- (string) Namespace to create the grafana dashboard configmap.
  # If not set, it will be created in the same namespace where the chart is deployed.
  namespace: ~

  # -- Grafana dashboard configmap annotations.
  annotations: {}

# Admission controller configuration
admissionController:

  # -- (int) Desired number of pods
  replicas: ~

  # -- Deployment update strategy.
  # Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
  # @default -- See [values.yaml](values.yaml)
  updateStrategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 40%
    type: RollingUpdate

  # -- Optional priority class
  priorityClassName: ''

  # -- Change `hostNetwork` to `true` when you want the pod to share its host's network namespace.
  # Useful for situations like when you end up dealing with a custom CNI over Amazon EKS.
  # Update the `dnsPolicy` accordingly as well to suit the host network mode.
  hostNetwork: false

  # -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster.
  # In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`.
  # For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
  dnsPolicy: ClusterFirst

  # -- Node labels for pod assignment
  nodeSelector: {}

  # -- List of node taints to tolerate
  tolerations: []

  # -- Topology spread constraints.
  topologySpreadConstraints: []

  podDisruptionBudget:
    # -- Configures the minimum available pods for disruptions.
    # Cannot be used if `maxUnavailable` is set.
    minAvailable: 1
    # -- Configures the maximum unavailable pods for disruptions.
    # Cannot be used if `minAvailable` is set.
    maxUnavailable:

# Cleanup controller configuration
cleanupController:

  # -- Enable cleanup controller.
  enabled: true

  rbac:
    # -- Create RBAC resources
    create: true

    serviceAccount:
      # -- Service account name
      name:

    clusterRole:
      # -- Extra resource permissions to add in the cluster role
      extraResources: []
      # - apiGroups:
      #     - ''
      #   resources:
      #     - pods

  # -- Create self-signed certificates at deployment time.
  # The certificates won't be automatically renewed if this is set to `true`.
  createSelfSignedCert: false

  image:
    # -- Image registry
    registry: ghcr.io
    # -- Image repository
    repository: kyverno/cleanup-controller
    # -- (string) Image tag
    # Defaults to appVersion in Chart.yaml if omitted
    tag: ~
    # -- Image pull policy
    pullPolicy: IfNotPresent
    # -- Image pull secrets
    pullSecrets: []
    # - secretName

  # -- (int) Desired number of pods
  replicas: ~

  # -- Deployment update strategy.
  # Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
  # @default -- See [values.yaml](values.yaml)
  updateStrategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 40%
    type: RollingUpdate

  # -- Optional priority class
  priorityClassName: ''

  # -- Change `hostNetwork` to `true` when you want the pod to share its host's network namespace.
  # Useful for situations like when you end up dealing with a custom CNI over Amazon EKS.
  # Update the `dnsPolicy` accordingly as well to suit the host network mode.
  hostNetwork: false

  # -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster.
  # In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`.
  # For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
  dnsPolicy: ClusterFirst

  # -- Extra arguments passed to the container on the command line
  extraArgs: []

  resources:
    # -- Pod resource limits
    limits:
      memory: 128Mi
    # -- Pod resource requests
    requests:
      cpu: 100m
      memory: 64Mi

  # -- Startup probe.
  # The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want.
  # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
  # @default -- See [values.yaml](values.yaml)
  startupProbe:
    httpGet:
      path: /health/liveness
      port: 9443
      scheme: HTTPS
    failureThreshold: 20
    initialDelaySeconds: 2
    periodSeconds: 6

  # -- Liveness probe.
  # The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want.
  # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
  # @default -- See [values.yaml](values.yaml)
  livenessProbe:
    httpGet:
      path: /health/liveness
      port: 9443
      scheme: HTTPS
    initialDelaySeconds: 15
    periodSeconds: 30
    timeoutSeconds: 5
    failureThreshold: 2
    successThreshold: 1

  # -- Readiness Probe.
  # The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want.
  # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
  # @default -- See [values.yaml](values.yaml)
  readinessProbe:
    httpGet:
      path: /health/readiness
      port: 9443
      scheme: HTTPS
    initialDelaySeconds: 5
    periodSeconds: 10
    timeoutSeconds: 5
    failureThreshold: 6
    successThreshold: 1

  # -- Node labels for pod assignment
  nodeSelector: {}

  # -- List of node taints to tolerate
  tolerations: []

  antiAffinity:
    # -- Pod antiAffinities toggle.
    # Enabled by default but can be disabled if you want to schedule pods to the same node.
    enabled: true

  # -- Pod anti affinity constraints.
  # @default -- See [values.yaml](values.yaml)
  podAntiAffinity:
    preferredDuringSchedulingIgnoredDuringExecution:
      - weight: 1
        podAffinityTerm:
          labelSelector:
            matchExpressions:
              - key: app.kubernetes.io/component
                operator: In
                values:
                  - cleanup-controller
          topologyKey: kubernetes.io/hostname

  # -- Pod affinity constraints.
  podAffinity: {}

  # -- Node affinity constraints.
  nodeAffinity: {}

  # -- Topology spread constraints.
  topologySpreadConstraints: []

  # -- Security context for the pod
  podSecurityContext: {}

  # -- Security context for the containers
  securityContext:
    runAsNonRoot: true
    privileged: false
    allowPrivilegeEscalation: false
    readOnlyRootFilesystem: true
    capabilities:
      drop:
        - ALL
    seccompProfile:
      type: RuntimeDefault

  podDisruptionBudget:
    # -- Configures the minimum available pods for disruptions.
    # Cannot be used if `maxUnavailable` is set.
    minAvailable: 1
    # -- Configures the maximum unavailable pods for disruptions.
    # Cannot be used if `minAvailable` is set.
    maxUnavailable:

  service:
    # -- Service port.
    port: 443
    # -- Service type.
    type: ClusterIP
    # -- Service node port.
    # Only used if `service.type` is `NodePort`.
    nodePort:
    # -- Service annotations.
    annotations: {}

  metricsService:
    # -- Create service.
    create: true
    # -- Service port.
    # Metrics server will be exposed at this port.
    port: 8000
    # -- Service type.
    type: ClusterIP
    # -- Service node port.
    # Only used if `metricsService.type` is `NodePort`.
    nodePort:
    # -- Service annotations.
    annotations: {}

  serviceMonitor:
    # -- Create a `ServiceMonitor` to collect Prometheus metrics.
    enabled: false
    # -- Additional labels
    additionalLabels:
      # key: value
    # -- Override namespace (default is the same as kyverno)
    namespace:
    # --  Interval to scrape metrics
    interval: 30s
    # -- Timeout if metrics can't be retrieved in given time interval
    scrapeTimeout: 25s
    # -- Is TLS required for endpoint
    secure: false
    # -- TLS Configuration for endpoint
    tlsConfig: {}

  tracing:
    # -- Enable tracing
    enabled: false
    # -- Traces receiver address
    address:
    # -- Traces receiver port
    port:
    # -- Traces receiver credentials
    creds: ''

  logging:
    # -- Logging format
    format: text

  metering:
    # -- Disable metrics export
    disabled: false
    # -- Otel configuration, can be `prometheus` or `grpc`
    config: prometheus
    # -- Prometheus endpoint port
    port: 8000
    # -- Otel collector endpoint
    collector: ''
    # -- Otel collector credentials
    creds: ''

# Reports controller configuration
reportsController:

  # -- Enable reports controller.
  enabled: true

  rbac:
    # -- Create RBAC resources
    create: true

    serviceAccount:
      # -- Service account name
      name:

    clusterRole:
      # -- Extra resource permissions to add in the cluster role
      extraResources: []
      # - apiGroups:
      #     - ''
      #   resources:
      #     - pods

  image:
    # -- Image registry
    registry: ghcr.io
    # -- Image repository
    repository: kyverno/reports-controller
    # -- (string) Image tag
    # Defaults to appVersion in Chart.yaml if omitted
    tag: ~
    # -- Image pull policy
    pullPolicy: IfNotPresent
    # -- Image pull secrets
    pullSecrets: []
    # - secretName

  # -- (int) Desired number of pods
  replicas: ~

  # -- Deployment update strategy.
  # Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
  # @default -- See [values.yaml](values.yaml)
  updateStrategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 40%
    type: RollingUpdate

  # -- Optional priority class
  priorityClassName: ''

  # -- Change `hostNetwork` to `true` when you want the pod to share its host's network namespace.
  # Useful for situations like when you end up dealing with a custom CNI over Amazon EKS.
  # Update the `dnsPolicy` accordingly as well to suit the host network mode.
  hostNetwork: false

  # -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster.
  # In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`.
  # For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
  dnsPolicy: ClusterFirst

  # -- Extra arguments passed to the container on the command line
  extraArgs: []

  resources:
    # -- Pod resource limits
    limits:
      memory: 128Mi
    # -- Pod resource requests
    requests:
      cpu: 100m
      memory: 64Mi

  # TODO
  # # -- Startup probe.
  # # The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want.
  # # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
  # # @default -- See [values.yaml](values.yaml)
  # startupProbe:
  #   httpGet:
  #     path: /health/liveness
  #     port: 9443
  #     scheme: HTTPS
  #   failureThreshold: 20
  #   initialDelaySeconds: 2
  #   periodSeconds: 6

  # # -- Liveness probe.
  # # The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want.
  # # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
  # # @default -- See [values.yaml](values.yaml)
  # livenessProbe:
  #   httpGet:
  #     path: /health/liveness
  #     port: 9443
  #     scheme: HTTPS
  #   initialDelaySeconds: 15
  #   periodSeconds: 30
  #   timeoutSeconds: 5
  #   failureThreshold: 2
  #   successThreshold: 1

  # # -- Readiness Probe.
  # # The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want.
  # # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
  # # @default -- See [values.yaml](values.yaml)
  # readinessProbe:
  #   httpGet:
  #     path: /health/readiness
  #     port: 9443
  #     scheme: HTTPS
  #   initialDelaySeconds: 5
  #   periodSeconds: 10
  #   timeoutSeconds: 5
  #   failureThreshold: 6
  #   successThreshold: 1

  # -- Node labels for pod assignment
  nodeSelector: {}

  # -- List of node taints to tolerate
  tolerations: []

  antiAffinity:
    # -- Pod antiAffinities toggle.
    # Enabled by default but can be disabled if you want to schedule pods to the same node.
    enabled: true

  # -- Pod anti affinity constraints.
  # @default -- See [values.yaml](values.yaml)
  podAntiAffinity:
    preferredDuringSchedulingIgnoredDuringExecution:
      - weight: 1
        podAffinityTerm:
          labelSelector:
            matchExpressions:
              - key: app.kubernetes.io/component
                operator: In
                values:
                  - reports-controller
          topologyKey: kubernetes.io/hostname

  # -- Pod affinity constraints.
  podAffinity: {}

  # -- Node affinity constraints.
  nodeAffinity: {}

  # -- Topology spread constraints.
  topologySpreadConstraints: []

  # -- Security context for the pod
  podSecurityContext: {}

  # -- Security context for the containers
  securityContext:
    runAsNonRoot: true
    privileged: false
    allowPrivilegeEscalation: false
    readOnlyRootFilesystem: true
    capabilities:
      drop:
        - ALL
    seccompProfile:
      type: RuntimeDefault

  podDisruptionBudget:
    # -- Configures the minimum available pods for disruptions.
    # Cannot be used if `maxUnavailable` is set.
    minAvailable: 1
    # -- Configures the maximum unavailable pods for disruptions.
    # Cannot be used if `minAvailable` is set.
    maxUnavailable:

  metricsService:
    # -- Create service.
    create: true
    # -- Service port.
    # Metrics server will be exposed at this port.
    port: 8000
    # -- Service type.
    type: ClusterIP
    # -- Service node port.
    # Only used if `metricsService.type` is `NodePort`.
    nodePort:
    # -- Service annotations.
    annotations: {}

  serviceMonitor:
    # -- Create a `ServiceMonitor` to collect Prometheus metrics.
    enabled: false
    # -- Additional labels
    additionalLabels:
      # key: value
    # -- Override namespace (default is the same as kyverno)
    namespace:
    # --  Interval to scrape metrics
    interval: 30s
    # -- Timeout if metrics can't be retrieved in given time interval
    scrapeTimeout: 25s
    # -- Is TLS required for endpoint
    secure: false
    # -- TLS Configuration for endpoint
    tlsConfig: {}

  tracing:
    # -- Enable tracing
    enabled: false
    # -- Traces receiver address
    address:
    # -- Traces receiver port
    port:
    # -- Traces receiver credentials
    creds: ''

  logging:
    # -- Logging format
    format: text

  metering:
    # -- Disable metrics export
    disabled: false
    # -- Otel configuration, can be `prometheus` or `grpc`
    config: prometheus
    # -- Prometheus endpoint port
    port: 8000
    # -- Otel collector endpoint
    collector: ''
    # -- Otel collector credentials
    creds: ''

# Background controller configuration
backgroundController:

  # -- Enable background controller.
  enabled: true

  rbac:
    # -- Create RBAC resources
    create: true

    serviceAccount:
      # -- Service account name
      name:

    clusterRole:
      # -- Extra resource permissions to add in the cluster role
      extraResources: []
      # - apiGroups:
      #     - ''
      #   resources:
      #     - pods

  image:
    # -- (string) Image registry
    registry: ~
    # If you want to manage the registry you should remove it from the repository
    # registry: ghcr.io
    # repository: kyverno/background-controller
    # -- Image repository
    repository: ghcr.io/kyverno/background-controller
    # -- Image tag
    # Defaults to appVersion in Chart.yaml if omitted
    tag:  # replaced in e2e tests
    # -- Image pull policy
    pullPolicy: IfNotPresent
    # -- Image pull secrets
    pullSecrets: []
    # - secretName

  # -- (int) Desired number of pods
  replicas: ~

  # -- Deployment update strategy.
  # Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
  # @default -- See [values.yaml](values.yaml)
  updateStrategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 40%
    type: RollingUpdate

  # -- Optional priority class
  priorityClassName: ''

  # -- Change `hostNetwork` to `true` when you want the pod to share its host's network namespace.
  # Useful for situations like when you end up dealing with a custom CNI over Amazon EKS.
  # Update the `dnsPolicy` accordingly as well to suit the host network mode.
  hostNetwork: false

  # -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster.
  # In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`.
  # For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
  dnsPolicy: ClusterFirst

  # -- Extra arguments passed to the container on the command line
  extraArgs: []

  resources:
    # -- Pod resource limits
    limits:
      memory: 128Mi
    # -- Pod resource requests
    requests:
      cpu: 100m
      memory: 64Mi

  # -- Node labels for pod assignment
  nodeSelector: {}

  # -- List of node taints to tolerate
  tolerations: []

  antiAffinity:
    # -- Pod antiAffinities toggle.
    # Enabled by default but can be disabled if you want to schedule pods to the same node.
    enabled: true

  # -- Pod anti affinity constraints.
  # @default -- See [values.yaml](values.yaml)
  podAntiAffinity:
    preferredDuringSchedulingIgnoredDuringExecution:
      - weight: 1
        podAffinityTerm:
          labelSelector:
            matchExpressions:
              - key: app.kubernetes.io/component
                operator: In
                values:
                  - reports-controller
          topologyKey: kubernetes.io/hostname

  # -- Pod affinity constraints.
  podAffinity: {}

  # -- Node affinity constraints.
  nodeAffinity: {}

  # -- Topology spread constraints.
  topologySpreadConstraints: []

  # -- Security context for the pod
  podSecurityContext: {}

  # -- Security context for the containers
  securityContext:
    runAsNonRoot: true
    privileged: false
    allowPrivilegeEscalation: false
    readOnlyRootFilesystem: true
    capabilities:
      drop:
        - ALL
    seccompProfile:
      type: RuntimeDefault

  podDisruptionBudget:
    # -- Configures the minimum available pods for disruptions.
    # Cannot be used if `maxUnavailable` is set.
    minAvailable: 1
    # -- Configures the maximum unavailable pods for disruptions.
    # Cannot be used if `minAvailable` is set.
    maxUnavailable:

  metricsService:
    # -- Create service.
    create: true
    # -- Service port.
    # Metrics server will be exposed at this port.
    port: 8000
    # -- Service type.
    type: ClusterIP
    # -- Service node port.
    # Only used if `metricsService.type` is `NodePort`.
    nodePort:
    # -- Service annotations.
    annotations: {}

  serviceMonitor:
    # -- Create a `ServiceMonitor` to collect Prometheus metrics.
    enabled: false
    # -- Additional labels
    additionalLabels:
      # key: value
    # -- Override namespace (default is the same as kyverno)
    namespace:
    # --  Interval to scrape metrics
    interval: 30s
    # -- Timeout if metrics can't be retrieved in given time interval
    scrapeTimeout: 25s
    # -- Is TLS required for endpoint
    secure: false
    # -- TLS Configuration for endpoint
    tlsConfig: {}

  tracing:
    # -- Enable tracing
    enabled: false
    # -- Traces receiver address
    address:
    # -- Traces receiver port
    port:
    # -- Traces receiver credentials
    creds: ''

  logging:
    # -- Logging format
    format: text

  metering:
    # -- Disable metrics export
    disabled: false
    # -- Otel configuration, can be `prometheus` or `grpc`
    config: prometheus
    # -- Prometheus endpoint port
    port: 8000
    # -- Otel collector endpoint
    collector: ''
    # -- Otel collector credentials
    creds: ''