kyverno/charts/kyverno/values.yaml

# -- Internal settings used with `helm template` to generate install manifest
# @ignored
templating:
  enabled: false
  debug: false
  version: ~

# -- (string) Override the name of the chart
nameOverride: ~

# -- (string) Override the expanded name of the chart
fullnameOverride: ~

# -- (string) Override the namespace the chart deploys to
namespaceOverride: ~

upgrade:
  # -- Upgrading from v2 to v3 is not allowed by default, set this to true once changes have been reviewed.
  fromV2: false

apiVersionOverride:
  # -- (string) Override api version used to create `PodDisruptionBudget`` resources.
  # When not specified the chart will check if `policy/v1/PodDisruptionBudget` is available to
  # determine the api version automatically.
  podDisruptionBudget: ~

# CRDs configuration
crds:

  # -- Whether to have Helm install the Kyverno CRDs, if the CRDs are not installed by Helm, they must be added before policies can be created
  install: true

  # -- Additional CRDs annotations
  annotations: {}
    # argocd.argoproj.io/sync-options: Replace=true
    # strategy.spinnaker.io/replace: 'true'

# Configuration
config:

  # -- Create the configmap.
  create: true

  # -- (string) The configmap name (required if `create` is `false`).
  name: ~

  # -- Additional annotations to add to the configmap.
  annotations: {}

  # -- Enable registry mutation for container images. Enabled by default.
  enableDefaultRegistryMutation: true

  # -- The registry hostname used for the image mutation.
  defaultRegistry: docker.io

  # -- Exclude groups
  excludeGroups:
    - system:nodes

  # -- Exclude usernames
  excludeUsernames: []
    # - '!system:kube-scheduler'

  # -- Exclude roles
  excludeRoles: []

  # -- Exclude roles
  excludeClusterRoles: []

  # -- Generate success events.
  generateSuccessEvents: false

  # -- Resource types to be skipped by the Kyverno policy engine.
  # Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list.
  # These are joined together without spaces, run through `tpl`, and the result is set in the config map.
  # @default -- See [values.yaml](values.yaml)
  resourceFilters:
    - '[Event,*,*]'
    - '[*/*,kube-system,*]'
    - '[*/*,kube-public,*]'
    - '[*/*,kube-node-lease,*]'
    - '[Node,*,*]'
    - '[Node/*,*,*]'
    - '[APIService,*,*]'
    - '[APIService/*,*,*]'
    - '[TokenReview,*,*]'
    - '[SubjectAccessReview,*,*]'
    - '[SelfSubjectAccessReview,*,*]'
    - '[Binding,*,*]'
    - '[Pod/binding,*,*]'
    - '[ReplicaSet,*,*]'
    - '[ReplicaSet/*,*,*]'
    - '[AdmissionReport,*,*]'
    - '[AdmissionReport/*,*,*]'
    - '[ClusterAdmissionReport,*,*]'
    - '[ClusterAdmissionReport/*,*,*]'
    - '[BackgroundScanReport,*,*]'
    - '[BackgroundScanReport/*,*,*]'
    - '[ClusterBackgroundScanReport,*,*]'
    - '[ClusterBackgroundScanReport/*,*,*]'
    # exclude resources from the chart
    - '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}]'
    - '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}:core]'
    - '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}:additional]'
    - '[ClusterRole,*,{{ template "kyverno.background-controller.roleName" . }}]'
    - '[ClusterRole,*,{{ template "kyverno.background-controller.roleName" . }}:core]'
    - '[ClusterRole,*,{{ template "kyverno.background-controller.roleName" . }}:additional]'
    - '[ClusterRole,*,{{ template "kyverno.cleanup-controller.roleName" . }}]'
    - '[ClusterRole,*,{{ template "kyverno.cleanup-controller.roleName" . }}:core]'
    - '[ClusterRole,*,{{ template "kyverno.cleanup-controller.roleName" . }}:additional]'
    - '[ClusterRole,*,{{ template "kyverno.reports-controller.roleName" . }}]'
    - '[ClusterRole,*,{{ template "kyverno.reports-controller.roleName" . }}:core]'
    - '[ClusterRole,*,{{ template "kyverno.reports-controller.roleName" . }}:additional]'
    - '[ClusterRoleBinding,*,{{ template "kyverno.admission-controller.roleName" . }}]'
    - '[ClusterRoleBinding,*,{{ template "kyverno.background-controller.roleName" . }}]'
    - '[ClusterRoleBinding,*,{{ template "kyverno.cleanup-controller.roleName" . }}]'
    - '[ClusterRoleBinding,*,{{ template "kyverno.reports-controller.roleName" . }}]'
    - '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceAccountName" . }}]'
    - '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceAccountName" . }}]'
    - '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.serviceAccountName" . }}]'
    - '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.serviceAccountName" . }}]'
    - '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.serviceAccountName" . }}]'
    - '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.serviceAccountName" . }}]'
    - '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.serviceAccountName" . }}]'
    - '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.serviceAccountName" . }}]'
    - '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.roleName" . }}]'
    - '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.roleName" . }}]'
    - '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.roleName" . }}]'
    - '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.roleName" . }}]'
    - '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.roleName" . }}]'
    - '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.roleName" . }}]'
    - '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.roleName" . }}]'
    - '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.roleName" . }}]'
    - '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.config.configMapName" . }}]'
    - '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.config.metricsConfigMapName" . }}]'
    - '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
    - '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
    - '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
    - '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
    - '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
    - '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
    - '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
    - '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
    - '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}-*]'
    - '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}-*]'
    - '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-*]'
    - '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-*]'
    - '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-*]'
    - '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-*]'
    - '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-*]'
    - '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-*]'
    - '[Job,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-hook-pre-delete]'
    - '[Job/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-hook-pre-delete]'
    - '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
    - '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
    - '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
    - '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
    - '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
    - '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
    - '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
    - '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
    - '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
    - '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
    - '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
    - '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
    - '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
    - '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
    - '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
    - '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
    - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}]'
    - '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}]'
    - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}-metrics]'
    - '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}-metrics]'
    - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-metrics]'
    - '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-metrics]'
    - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
    - '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
    - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-metrics]'
    - '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-metrics]'
    - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-metrics]'
    - '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-metrics]'
    - '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.admission-controller.name" . }}]'
    - '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.background-controller.name" . }}]'
    - '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.cleanup-controller.name" . }}]'
    - '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.reports-controller.name" . }}]'
    - '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.*]'
    - '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.*]'

  # -- Defines the `namespaceSelector` in the webhook configurations.
  # Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element
  # will be forwarded to the webhook configurations.
  # The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default)
  webhooks: []
    # Exclude namespaces
    # - namespaceSelector:
    #     matchExpressions:
    #     - key: kubernetes.io/metadata.name
    #       operator: NotIn
    #       values:
    #         - kube-system
    #         - kyverno
    # Exclude objects
    # - objectSelector:
    #     matchExpressions:
    #     - key: webhooks.kyverno.io/exclude
    #       operator: DoesNotExist

  # -- Defines annotations to set on webhook configurations.
  webhookAnnotations: {}
    # Example to disable admission enforcer on AKS:
    # 'admissions.enforcer/disabled': 'true'

  # -- Defines match conditions to set on webhook configurations (requires Kubernetes 1.27+).
  matchConditions: []

  # -- Exclude Kyverno namespace
  # Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters
  excludeKyvernoNamespace: true

  # -- resourceFilter namespace exclude
  # Namespaces to exclude from the default resourceFilters
  resourceFiltersExcludeNamespaces: []

# Metrics configuration
metricsConfig:

  # -- Create the configmap.
  create: true

  # -- (string) The configmap name (required if `create` is `false`).
  name: ~

  # -- Additional annotations to add to the configmap.
  annotations: {}

  namespaces:

    # -- List of namespaces to capture metrics for.
    include: []

    # -- list of namespaces to NOT capture metrics for.
    exclude: []

  # -- (string) Rate at which metrics should reset so as to clean up the memory footprint of kyverno metrics, if you might be expecting high memory footprint of Kyverno's metrics. Default: 0, no refresh of metrics
  metricsRefreshInterval: ~
    # metricsRefreshInterval: 24h

# -- Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument
imagePullSecrets: {}
  # regcred:
  #   registry: foo.example.com
  #   username: foobar
  #   password: secret
  # regcred2:
  #   registry: bar.example.com
  #   username: barbaz
  #   password: secret2

# -- Existing Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument
existingImagePullSecrets: []
  # - test-registry
  # - other-test-registry

# Tests configuration
test:

  image:
    # -- (string) Image registry
    registry: ~
    # -- Image repository
    repository: busybox
    # -- Image tag
    # Defaults to `latest` if omitted
    tag: '1.35'
    # -- (string) Image pull policy
    # Defaults to image.pullPolicy if omitted
    pullPolicy: ~

  resources:
    # -- Pod resource limits
    limits:
      cpu: 100m
      memory: 256Mi
    # -- Pod resource requests
    requests:
      cpu: 10m
      memory: 64Mi

  # -- Security context for the test containers
  securityContext:
    runAsUser: 65534
    runAsGroup: 65534
    runAsNonRoot: true
    privileged: false
    allowPrivilegeEscalation: false
    readOnlyRootFilesystem: true
    capabilities:
      drop:
        - ALL
    seccompProfile:
      type: RuntimeDefault

# -- Additional labels
customLabels: {}

webhooksCleanup:
  # -- Create a helm pre-delete hook to cleanup webhooks.
  enabled: true

  # -- `kubectl` image to run commands for deleting webhooks.
  image: bitnami/kubectl:latest

  # -- Image pull secrets
  imagePullSecrets: []

  # -- Security context for the pod
  podSecurityContext: {}

  # -- Node labels for pod assignment
  nodeSelector: {}

  # -- List of node taints to tolerate
  tolerations: []

  # -- Pod anti affinity constraints.
  podAntiAffinity: {}

  # -- Pod affinity constraints.
  podAffinity: {}

  # -- Node affinity constraints.
  nodeAffinity: {}

  # -- Security context for the hook containers
  securityContext:
    runAsUser: 65534
    runAsGroup: 65534
    runAsNonRoot: true
    privileged: false
    allowPrivilegeEscalation: false
    readOnlyRootFilesystem: true
    capabilities:
      drop:
        - ALL
    seccompProfile:
      type: RuntimeDefault

grafana:
  # -- Enable grafana dashboard creation.
  enabled: false

  # -- Configmap name template.
  configMapName: '{{ include "kyverno.fullname" . }}-grafana'

  # -- (string) Namespace to create the grafana dashboard configmap.
  # If not set, it will be created in the same namespace where the chart is deployed.
  namespace: ~

  # -- Grafana dashboard configmap annotations.
  annotations: {}

  # -- Grafana dashboard configmap labels
  labels:
    grafana_dashboard: "1"

  # -- create GrafanaDashboard custom resource referencing to the configMap.
  # according to https://grafana-operator.github.io/grafana-operator/docs/examples/dashboard_from_configmap/readme/
  grafanaDashboard:
    create: false
    matchLabels:
      dashboards: "grafana"

# Features configuration
features:
  admissionReports:
    # -- Enables the feature
    enabled: true
  aggregateReports:
    # -- Enables the feature
    enabled: true
  policyReports:
    # -- Enables the feature
    enabled: true
  validatingAdmissionPolicyReports:
    # -- Enables the feature
    enabled: false
  autoUpdateWebhooks:
    # -- Enables the feature
    enabled: true
  backgroundScan:
    # -- Enables the feature
    enabled: true
    # -- Number of background scan workers
    backgroundScanWorkers: 2
    # -- Background scan interval
    backgroundScanInterval: 1h
    # -- Skips resource filters in background scan
    skipResourceFilters: true
  configMapCaching:
    # -- Enables the feature
    enabled: true
  deferredLoading:
    # -- Enables the feature
    enabled: true
  dumpPayload:
    # -- Enables the feature
    enabled: false
  forceFailurePolicyIgnore:
    # -- Enables the feature
    enabled: false
  generateValidatingAdmissionPolicy:
    # -- Enables the feature
    enabled: false
  logging:
    # -- Logging format
    format: text
    # -- Logging verbosity
    verbosity: 2
  omitEvents:
    # -- Events which should not be emitted (possible values `PolicyViolation`, `PolicyApplied`, `PolicyError`, and `PolicySkipped`)
    eventTypes: []
      # - PolicyViolation
      # - PolicyApplied
      # - PolicyError
      # - PolicySkipped
  policyExceptions:
    # -- Enables the feature
    enabled: false
    # -- Restrict policy exceptions to a single namespace
    namespace: ''
  protectManagedResources:
    # -- Enables the feature
    enabled: false
  registryClient:
    # -- Allow insecure registry
    allowInsecure: false
    # -- Enable registry client helpers
    credentialHelpers:
    - default
    - google
    - amazon
    - azure
    - github
  reports:
    # -- Reports chunk size
    chunkSize: 1000
  ttlController:
    # -- Reconciliation interval for the label based cleanup manager
    reconciliationInterval: 1m
  tuf:
    # -- Enable tuf
    enable: false
    # -- (string) Tuf root
    root: ~
    # -- (string) Tuf mirror
    mirror: ~

# Cleanup cronjobs to prevent internal resources from stacking up in the cluster
cleanupJobs:

  admissionReports:

    # -- Enable cleanup cronjob
    enabled: true

    image:
      # -- (string) Image registry
      registry: ~
      # -- Image repository
      repository: bitnami/kubectl
      # -- Image tag
      # Defaults to `latest` if omitted
      tag: '1.26.4'
      # -- (string) Image pull policy
      # Defaults to image.pullPolicy if omitted
      pullPolicy: ~

    # -- Image pull secrets
    imagePullSecrets: []
      # - name: secretName

    # -- Cronjob schedule
    schedule: '*/10 * * * *'

    # -- Reports threshold, if number of reports are above this value the cronjob will start deleting them
    threshold: 10000

    # -- Cronjob history
    history:
      success: 1
      failure: 1

    # -- Security context for the pod
    podSecurityContext: {}

    # -- Security context for the containers
    securityContext:
      runAsNonRoot: true
      privileged: false
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      capabilities:
        drop:
          - ALL
      seccompProfile:
        type: RuntimeDefault

    # -- Job resources
    resources: {}

    # -- List of node taints to tolerate
    tolerations: []

    # -- Node labels for pod assignment
    nodeSelector: {}

    # -- Pod Annotations
    podAnnotations: {}

    # -- Pod labels
    podLabels: {}

    # -- Pod anti affinity constraints.
    podAntiAffinity: {}

    # -- Pod affinity constraints.
    podAffinity: {}

    # -- Node affinity constraints.
    nodeAffinity: {}

  clusterAdmissionReports:

    # -- Enable cleanup cronjob
    enabled: true

    image:
      # -- (string) Image registry
      registry: ~
      # -- Image repository
      repository: bitnami/kubectl
      # -- Image tag
      # Defaults to `latest` if omitted
      tag: '1.26.4'
      # -- (string) Image pull policy
      # Defaults to image.pullPolicy if omitted
      pullPolicy: ~

    # -- Image pull secrets
    imagePullSecrets: []
      # - name: secretName

    # -- Cronjob schedule
    schedule: '*/10 * * * *'

    # -- Reports threshold, if number of reports are above this value the cronjob will start deleting them
    threshold: 10000

    # -- Cronjob history
    history:
      success: 1
      failure: 1

    # -- Security context for the pod
    podSecurityContext: {}

    # -- Security context for the containers
    securityContext:
      runAsNonRoot: true
      privileged: false
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      capabilities:
        drop:
          - ALL
      seccompProfile:
        type: RuntimeDefault

    # -- Job resources
    resources: {}

    # -- List of node taints to tolerate
    tolerations: []

    # -- Node labels for pod assignment
    nodeSelector: {}

    # -- Pod Annotations
    podAnnotations: {}

    # -- Pod Labels
    podLabels: {}

    # -- Pod anti affinity constraints.
    podAntiAffinity: {}

    # -- Pod affinity constraints.
    podAffinity: {}

    # -- Node affinity constraints.
    nodeAffinity: {}

# Admission controller configuration
admissionController:

  # -- Overrides features defined at the root level
  featuresOverride: {}

  rbac:
    # -- Create RBAC resources
    create: true

    serviceAccount:
      # -- The ServiceAccount name
      name:

      # -- Annotations for the ServiceAccount
      annotations: {}
        # example.com/annotation: value

    clusterRole:
      # -- Extra resource permissions to add in the cluster role
      extraResources: []
      # - apiGroups:
      #     - ''
      #   resources:
      #     - pods
      #   verbs:
      #     - create
      #     - update
      #     - delete

  # -- Create self-signed certificates at deployment time.
  # The certificates won't be automatically renewed if this is set to `true`.
  createSelfSignedCert: false

  # -- (int) Desired number of pods
  replicas: ~

  # -- Additional labels to add to each pod
  podLabels: {}
    # example.com/label: foo

  # -- Additional annotations to add to each pod
  podAnnotations: {}
    # example.com/annotation: foo

  # -- Deployment update strategy.
  # Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
  # @default -- See [values.yaml](values.yaml)
  updateStrategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 40%
    type: RollingUpdate

  # -- Optional priority class
  priorityClassName: ''

  # -- Change `apiPriorityAndFairness` to `true` if you want to insulate the API calls made by Kyverno admission controller activities.
  # This will help ensure Kyverno stability in busy clusters.
  # Ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/
  apiPriorityAndFairness: false

  # -- Priority level configuration.
  # The block is directly forwarded into the priorityLevelConfiguration, so you can use whatever specification you want.
  # ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/#prioritylevelconfiguration
  # @default -- See [values.yaml](values.yaml)
  priorityLevelConfigurationSpec:
    type: Limited
    limited:
      nominalConcurrencyShares: 10
      limitResponse:
        queuing:
          queueLengthLimit: 50
        type: Queue

  # -- Change `hostNetwork` to `true` when you want the pod to share its host's network namespace.
  # Useful for situations like when you end up dealing with a custom CNI over Amazon EKS.
  # Update the `dnsPolicy` accordingly as well to suit the host network mode.
  hostNetwork: false

  # -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster.
  # In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`.
  # For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
  dnsPolicy: ClusterFirst

  # -- Startup probe.
  # The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want.
  # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
  # @default -- See [values.yaml](values.yaml)
  startupProbe:
    httpGet:
      path: /health/liveness
      port: 9443
      scheme: HTTPS
    failureThreshold: 20
    initialDelaySeconds: 2
    periodSeconds: 6

  # -- Liveness probe.
  # The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want.
  # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
  # @default -- See [values.yaml](values.yaml)
  livenessProbe:
    httpGet:
      path: /health/liveness
      port: 9443
      scheme: HTTPS
    initialDelaySeconds: 15
    periodSeconds: 30
    timeoutSeconds: 5
    failureThreshold: 2
    successThreshold: 1

  # -- Readiness Probe.
  # The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want.
  # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
  # @default -- See [values.yaml](values.yaml)
  readinessProbe:
    httpGet:
      path: /health/readiness
      port: 9443
      scheme: HTTPS
    initialDelaySeconds: 5
    periodSeconds: 10
    timeoutSeconds: 5
    failureThreshold: 6
    successThreshold: 1

  # -- Node labels for pod assignment
  nodeSelector: {}

  # -- List of node taints to tolerate
  tolerations: []

  antiAffinity:
    # -- Pod antiAffinities toggle.
    # Enabled by default but can be disabled if you want to schedule pods to the same node.
    enabled: true

  # -- Pod anti affinity constraints.
  # @default -- See [values.yaml](values.yaml)
  podAntiAffinity:
    preferredDuringSchedulingIgnoredDuringExecution:
      - weight: 1
        podAffinityTerm:
          labelSelector:
            matchExpressions:
              - key: app.kubernetes.io/component
                operator: In
                values:
                  - admission-controller
          topologyKey: kubernetes.io/hostname

  # -- Pod affinity constraints.
  podAffinity: {}

  # -- Node affinity constraints.
  nodeAffinity: {}

  # -- Topology spread constraints.
  topologySpreadConstraints: []

  # -- Security context for the pod
  podSecurityContext: {}

  podDisruptionBudget:
    # -- Configures the minimum available pods for disruptions.
    # Cannot be used if `maxUnavailable` is set.
    minAvailable: 1
    # -- Configures the maximum unavailable pods for disruptions.
    # Cannot be used if `minAvailable` is set.
    maxUnavailable:

  # -- A writable volume to use for the TUF root initialization.
  tufRootMountPath: /.sigstore

  # -- Volume to be mounted in pods for TUF/cosign work.
  sigstoreVolume:
    emptyDir: {}

  # -- Image pull secrets
  imagePullSecrets: []
    # - secretName

  initContainer:

    image:
      # -- Image registry
      registry: ghcr.io
      # -- Image repository
      repository: kyverno/kyvernopre
      # -- (string) Image tag
      # If missing, defaults to image.tag
      tag: ~
      # -- (string) Image pull policy
      # If missing, defaults to image.pullPolicy
      pullPolicy: ~

    resources:
      # -- Pod resource limits
      limits:
        cpu: 100m
        memory: 256Mi
      # -- Pod resource requests
      requests:
        cpu: 10m
        memory: 64Mi

    # -- Container security context
    securityContext:
      runAsNonRoot: true
      privileged: false
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      capabilities:
        drop:
          - ALL
      seccompProfile:
        type: RuntimeDefault

    # -- Additional container args.
    extraArgs: {}

    # -- Additional container environment variables.
    extraEnvVars: []

  container:

    image:
      # -- Image registry
      registry: ghcr.io
      # -- Image repository
      repository: kyverno/kyverno
      # -- (string) Image tag
      # Defaults to appVersion in Chart.yaml if omitted
      tag: ~
      # -- Image pull policy
      pullPolicy: IfNotPresent

    resources:
      # -- Pod resource limits
      limits:
        memory: 384Mi
      # -- Pod resource requests
      requests:
        cpu: 100m
        memory: 128Mi

    # -- Container security context
    securityContext:
      runAsNonRoot: true
      privileged: false
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      capabilities:
        drop:
          - ALL
      seccompProfile:
        type: RuntimeDefault

    # -- Additional container args.
    extraArgs: {}

    # -- Additional container environment variables.
    extraEnvVars: []

  # -- Array of extra init containers
  extraInitContainers: []
    # - name: init-container
    #   image: busybox
    #   command: ['sh', '-c', 'echo Hello']

  # -- Array of extra containers to run alongside kyverno
  extraContainers: []
    # - name: myapp-container
    #   image: busybox
    #   command: ['sh', '-c', 'echo Hello && sleep 3600']

  service:
    # -- Service port.
    port: 443
    # -- Service type.
    type: ClusterIP
    # -- Service node port.
    # Only used if `type` is `NodePort`.
    nodePort:
    # -- Service annotations.
    annotations: {}

  metricsService:
    # -- Create service.
    create: true
    # -- Service port.
    # Kyverno's metrics server will be exposed at this port.
    port: 8000
    # -- Service type.
    type: ClusterIP
    # -- Service node port.
    # Only used if `type` is `NodePort`.
    nodePort:
    # -- Service annotations.
    annotations: {}

  networkPolicy:
    # -- When true, use a NetworkPolicy to allow ingress to the webhook
    # This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
    enabled: false
    # -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
    ingressFrom: []

  serviceMonitor:
    # -- Create a `ServiceMonitor` to collect Prometheus metrics.
    enabled: false
    # -- Additional labels
    additionalLabels: {}
    # -- (string) Override namespace
    namespace: ~
    # --  Interval to scrape metrics
    interval: 30s
    # -- Timeout if metrics can't be retrieved in given time interval
    scrapeTimeout: 25s
    # -- Is TLS required for endpoint
    secure: false
    # -- TLS Configuration for endpoint
    tlsConfig: {}
    # -- RelabelConfigs to apply to samples before scraping
    relabelings: []
    # -- MetricRelabelConfigs to apply to samples before ingestion.
    metricRelabelings: []

  tracing:
    # -- Enable tracing
    enabled: false
    # -- Traces receiver address
    address:
    # -- Traces receiver port
    port:
    # -- Traces receiver credentials
    creds: ''

  metering:
    # -- Disable metrics export
    disabled: false
    # -- Otel configuration, can be `prometheus` or `grpc`
    config: prometheus
    # -- Prometheus endpoint port
    port: 8000
    # -- Otel collector endpoint
    collector: ''
    # -- Otel collector credentials
    creds: ''

# Background controller configuration
backgroundController:

  # -- Overrides features defined at the root level
  featuresOverride: {}

  # -- Enable background controller.
  enabled: true

  rbac:
    # -- Create RBAC resources
    create: true

    serviceAccount:
      # -- Service account name
      name:

      # -- Annotations for the ServiceAccount
      annotations: {}
        # example.com/annotation: value

    coreClusterRole:
      # -- Extra resource permissions to add in the core cluster role.
      # This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`.
      # @default -- See [values.yaml](values.yaml)
      extraResources:
        - apiGroups:
            - '*'
          resources:
            - '*'
          verbs:
            - get
            - list
            - watch
        - apiGroups:
            - networking.k8s.io
          resources:
            - ingresses
            - ingressclasses
            - networkpolicies
          verbs:
            - create
            - update
            - patch
            - delete
        - apiGroups:
            - rbac.authorization.k8s.io
          resources:
            - rolebindings
            - roles
          verbs:
            - create
            - update
            - patch
            - delete
        - apiGroups:
            - ''
          resources:
            - configmaps
            - secrets
            - resourcequotas
            - limitranges
          verbs:
            - create
            - update
            - patch
            - delete

    clusterRole:
      # -- Extra resource permissions to add in the cluster role
      extraResources: []
      # - apiGroups:
      #     - ''
      #   resources:
      #     - pods
      #   verbs:
      #     - create
      #     - update
      #     - delete
      #     - patch

  image:
    # -- Image registry
    registry: ghcr.io
    # -- Image repository
    repository: kyverno/background-controller
    # -- Image tag
    # Defaults to appVersion in Chart.yaml if omitted
    tag: ~
    # -- Image pull policy
    pullPolicy: IfNotPresent

  # -- Image pull secrets
  imagePullSecrets: []
    # - secretName

  # -- (int) Desired number of pods
  replicas: ~

  # -- Additional labels to add to each pod
  podLabels: {}
  # example.com/label: foo

  # -- Additional annotations to add to each pod
  podAnnotations: {}
  # example.com/annotation: foo

  # -- Deployment update strategy.
  # Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
  # @default -- See [values.yaml](values.yaml)
  updateStrategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 40%
    type: RollingUpdate

  # -- Optional priority class
  priorityClassName: ''

  # -- Change `hostNetwork` to `true` when you want the pod to share its host's network namespace.
  # Useful for situations like when you end up dealing with a custom CNI over Amazon EKS.
  # Update the `dnsPolicy` accordingly as well to suit the host network mode.
  hostNetwork: false

  # -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster.
  # In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`.
  # For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
  dnsPolicy: ClusterFirst

  # -- Extra arguments passed to the container on the command line
  extraArgs: {}

  # -- Additional container environment variables.
  extraEnvVars: []

  resources:
    # -- Pod resource limits
    limits:
      memory: 128Mi
    # -- Pod resource requests
    requests:
      cpu: 100m
      memory: 64Mi

  # -- Node labels for pod assignment
  nodeSelector: {}

  # -- List of node taints to tolerate
  tolerations: []

  antiAffinity:
    # -- Pod antiAffinities toggle.
    # Enabled by default but can be disabled if you want to schedule pods to the same node.
    enabled: true

  # -- Pod anti affinity constraints.
  # @default -- See [values.yaml](values.yaml)
  podAntiAffinity:
    preferredDuringSchedulingIgnoredDuringExecution:
      - weight: 1
        podAffinityTerm:
          labelSelector:
            matchExpressions:
              - key: app.kubernetes.io/component
                operator: In
                values:
                  - background-controller
          topologyKey: kubernetes.io/hostname

  # -- Pod affinity constraints.
  podAffinity: {}

  # -- Node affinity constraints.
  nodeAffinity: {}

  # -- Topology spread constraints.
  topologySpreadConstraints: []

  # -- Security context for the pod
  podSecurityContext: {}

  # -- Security context for the containers
  securityContext:
    runAsNonRoot: true
    privileged: false
    allowPrivilegeEscalation: false
    readOnlyRootFilesystem: true
    capabilities:
      drop:
        - ALL
    seccompProfile:
      type: RuntimeDefault

  podDisruptionBudget:
    # -- Configures the minimum available pods for disruptions.
    # Cannot be used if `maxUnavailable` is set.
    minAvailable: 1
    # -- Configures the maximum unavailable pods for disruptions.
    # Cannot be used if `minAvailable` is set.
    maxUnavailable:

  metricsService:
    # -- Create service.
    create: true
    # -- Service port.
    # Metrics server will be exposed at this port.
    port: 8000
    # -- Service type.
    type: ClusterIP
    # -- Service node port.
    # Only used if `metricsService.type` is `NodePort`.
    nodePort:
    # -- Service annotations.
    annotations: {}

  networkPolicy:

    # -- When true, use a NetworkPolicy to allow ingress to the webhook
    # This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
    enabled: false

    # -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
    ingressFrom: []

  serviceMonitor:
    # -- Create a `ServiceMonitor` to collect Prometheus metrics.
    enabled: false
    # -- Additional labels
    additionalLabels: {}
    # -- (string) Override namespace
    namespace: ~
    # --  Interval to scrape metrics
    interval: 30s
    # -- Timeout if metrics can't be retrieved in given time interval
    scrapeTimeout: 25s
    # -- Is TLS required for endpoint
    secure: false
    # -- TLS Configuration for endpoint
    tlsConfig: {}
    # -- RelabelConfigs to apply to samples before scraping
    relabelings: []
    # -- MetricRelabelConfigs to apply to samples before ingestion.
    metricRelabelings: []

  tracing:
    # -- Enable tracing
    enabled: false
    # -- Traces receiver address
    address:
    # -- Traces receiver port
    port:
    # -- Traces receiver credentials
    creds: ''

  metering:
    # -- Disable metrics export
    disabled: false
    # -- Otel configuration, can be `prometheus` or `grpc`
    config: prometheus
    # -- Prometheus endpoint port
    port: 8000
    # -- Otel collector endpoint
    collector: ''
    # -- Otel collector credentials
    creds: ''

# Cleanup controller configuration
cleanupController:

  # -- Overrides features defined at the root level
  featuresOverride: {}

  # -- Enable cleanup controller.
  enabled: true

  rbac:
    # -- Create RBAC resources
    create: true

    serviceAccount:
      # -- Service account name
      name:

      # -- Annotations for the ServiceAccount
      annotations: {}
        # example.com/annotation: value

    clusterRole:
      # -- Extra resource permissions to add in the cluster role
      extraResources: []
      # - apiGroups:
      #     - ''
      #   resources:
      #     - pods
      #   verbs:
      #     - delete
      #     - list
      #     - watch

  # -- Create self-signed certificates at deployment time.
  # The certificates won't be automatically renewed if this is set to `true`.
  createSelfSignedCert: false

  image:
    # -- Image registry
    registry: ghcr.io
    # -- Image repository
    repository: kyverno/cleanup-controller
    # -- (string) Image tag
    # Defaults to appVersion in Chart.yaml if omitted
    tag: ~
    # -- Image pull policy
    pullPolicy: IfNotPresent

  # -- Image pull secrets
  imagePullSecrets: []
    # - secretName

  # -- (int) Desired number of pods
  replicas: ~

  # -- Additional labels to add to each pod
  podLabels: {}
  # example.com/label: foo

  # -- Additional annotations to add to each pod
  podAnnotations: {}
  # example.com/annotation: foo

  # -- Deployment update strategy.
  # Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
  # @default -- See [values.yaml](values.yaml)
  updateStrategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 40%
    type: RollingUpdate

  # -- Optional priority class
  priorityClassName: ''

  # -- Change `hostNetwork` to `true` when you want the pod to share its host's network namespace.
  # Useful for situations like when you end up dealing with a custom CNI over Amazon EKS.
  # Update the `dnsPolicy` accordingly as well to suit the host network mode.
  hostNetwork: false

  # -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster.
  # In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`.
  # For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
  dnsPolicy: ClusterFirst

  # -- Extra arguments passed to the container on the command line
  extraArgs: {}

  # -- Additional container environment variables.
  extraEnvVars: []

  resources:
    # -- Pod resource limits
    limits:
      memory: 128Mi
    # -- Pod resource requests
    requests:
      cpu: 100m
      memory: 64Mi

  # -- Startup probe.
  # The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want.
  # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
  # @default -- See [values.yaml](values.yaml)
  startupProbe:
    httpGet:
      path: /health/liveness
      port: 9443
      scheme: HTTPS
    failureThreshold: 20
    initialDelaySeconds: 2
    periodSeconds: 6

  # -- Liveness probe.
  # The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want.
  # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
  # @default -- See [values.yaml](values.yaml)
  livenessProbe:
    httpGet:
      path: /health/liveness
      port: 9443
      scheme: HTTPS
    initialDelaySeconds: 15
    periodSeconds: 30
    timeoutSeconds: 5
    failureThreshold: 2
    successThreshold: 1

  # -- Readiness Probe.
  # The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want.
  # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
  # @default -- See [values.yaml](values.yaml)
  readinessProbe:
    httpGet:
      path: /health/readiness
      port: 9443
      scheme: HTTPS
    initialDelaySeconds: 5
    periodSeconds: 10
    timeoutSeconds: 5
    failureThreshold: 6
    successThreshold: 1

  # -- Node labels for pod assignment
  nodeSelector: {}

  # -- List of node taints to tolerate
  tolerations: []

  antiAffinity:
    # -- Pod antiAffinities toggle.
    # Enabled by default but can be disabled if you want to schedule pods to the same node.
    enabled: true

  # -- Pod anti affinity constraints.
  # @default -- See [values.yaml](values.yaml)
  podAntiAffinity:
    preferredDuringSchedulingIgnoredDuringExecution:
      - weight: 1
        podAffinityTerm:
          labelSelector:
            matchExpressions:
              - key: app.kubernetes.io/component
                operator: In
                values:
                  - cleanup-controller
          topologyKey: kubernetes.io/hostname

  # -- Pod affinity constraints.
  podAffinity: {}

  # -- Node affinity constraints.
  nodeAffinity: {}

  # -- Topology spread constraints.
  topologySpreadConstraints: []

  # -- Security context for the pod
  podSecurityContext: {}

  # -- Security context for the containers
  securityContext:
    runAsNonRoot: true
    privileged: false
    allowPrivilegeEscalation: false
    readOnlyRootFilesystem: true
    capabilities:
      drop:
        - ALL
    seccompProfile:
      type: RuntimeDefault

  podDisruptionBudget:
    # -- Configures the minimum available pods for disruptions.
    # Cannot be used if `maxUnavailable` is set.
    minAvailable: 1
    # -- Configures the maximum unavailable pods for disruptions.
    # Cannot be used if `minAvailable` is set.
    maxUnavailable:

  service:
    # -- Service port.
    port: 443
    # -- Service type.
    type: ClusterIP
    # -- Service node port.
    # Only used if `service.type` is `NodePort`.
    nodePort:
    # -- Service annotations.
    annotations: {}

  metricsService:
    # -- Create service.
    create: true
    # -- Service port.
    # Metrics server will be exposed at this port.
    port: 8000
    # -- Service type.
    type: ClusterIP
    # -- Service node port.
    # Only used if `metricsService.type` is `NodePort`.
    nodePort:
    # -- Service annotations.
    annotations: {}

  networkPolicy:

    # -- When true, use a NetworkPolicy to allow ingress to the webhook
    # This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
    enabled: false

    # -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
    ingressFrom: []

  serviceMonitor:
    # -- Create a `ServiceMonitor` to collect Prometheus metrics.
    enabled: false
    # -- Additional labels
    additionalLabels: {}
    # -- (string) Override namespace
    namespace: ~
    # --  Interval to scrape metrics
    interval: 30s
    # -- Timeout if metrics can't be retrieved in given time interval
    scrapeTimeout: 25s
    # -- Is TLS required for endpoint
    secure: false
    # -- TLS Configuration for endpoint
    tlsConfig: {}
    # -- RelabelConfigs to apply to samples before scraping
    relabelings: []
    # -- MetricRelabelConfigs to apply to samples before ingestion.
    metricRelabelings: []

  tracing:
    # -- Enable tracing
    enabled: false
    # -- Traces receiver address
    address:
    # -- Traces receiver port
    port:
    # -- Traces receiver credentials
    creds: ''

  metering:
    # -- Disable metrics export
    disabled: false
    # -- Otel configuration, can be `prometheus` or `grpc`
    config: prometheus
    # -- Prometheus endpoint port
    port: 8000
    # -- Otel collector endpoint
    collector: ''
    # -- Otel collector credentials
    creds: ''

# Reports controller configuration
reportsController:

  # -- Overrides features defined at the root level
  featuresOverride: {}

  # -- Enable reports controller.
  enabled: true

  rbac:
    # -- Create RBAC resources
    create: true

    serviceAccount:
      # -- Service account name
      name:

      # -- Annotations for the ServiceAccount
      annotations: {}
        # example.com/annotation: value

    clusterRole:
      # -- Extra resource permissions to add in the cluster role
      extraResources: []
      # - apiGroups:
      #     - ''
      #   resources:
      #     - pods

  image:
    # -- Image registry
    registry: ghcr.io
    # -- Image repository
    repository: kyverno/reports-controller
    # -- (string) Image tag
    # Defaults to appVersion in Chart.yaml if omitted
    tag: ~
    # -- Image pull policy
    pullPolicy: IfNotPresent

  # -- Image pull secrets
  imagePullSecrets: []
    # - secretName

  # -- (int) Desired number of pods
  replicas: ~

  # -- Additional labels to add to each pod
  podLabels: {}
  # example.com/label: foo

  # -- Additional annotations to add to each pod
  podAnnotations: {}
  # example.com/annotation: foo

  # -- Deployment update strategy.
  # Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
  # @default -- See [values.yaml](values.yaml)
  updateStrategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 40%
    type: RollingUpdate

  # -- Optional priority class
  priorityClassName: ''

  # -- Change `apiPriorityAndFairness` to `true` if you want to insulate the API calls made by Kyverno reports controller activities.
  # This will help ensure Kyverno reports stability in busy clusters.
  # Ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/
  apiPriorityAndFairness: false

  # -- Priority level configuration.
  # The block is directly forwarded into the priorityLevelConfiguration, so you can use whatever specification you want.
  # ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/#prioritylevelconfiguration
  # @default -- See [values.yaml](values.yaml)
  priorityLevelConfigurationSpec:
    type: Limited
    limited:
      nominalConcurrencyShares: 10
      limitResponse:
        queuing:
          queueLengthLimit: 50
        type: Queue

  # -- Change `hostNetwork` to `true` when you want the pod to share its host's network namespace.
  # Useful for situations like when you end up dealing with a custom CNI over Amazon EKS.
  # Update the `dnsPolicy` accordingly as well to suit the host network mode.
  hostNetwork: false

  # -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster.
  # In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`.
  # For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
  dnsPolicy: ClusterFirst

  # -- Extra arguments passed to the container on the command line
  extraArgs: {}

  # -- Additional container environment variables.
  extraEnvVars: []

  resources:
    # -- Pod resource limits
    limits:
      memory: 128Mi
    # -- Pod resource requests
    requests:
      cpu: 100m
      memory: 64Mi

  # -- Node labels for pod assignment
  nodeSelector: {}

  # -- List of node taints to tolerate
  tolerations: []

  antiAffinity:
    # -- Pod antiAffinities toggle.
    # Enabled by default but can be disabled if you want to schedule pods to the same node.
    enabled: true

  # -- Pod anti affinity constraints.
  # @default -- See [values.yaml](values.yaml)
  podAntiAffinity:
    preferredDuringSchedulingIgnoredDuringExecution:
      - weight: 1
        podAffinityTerm:
          labelSelector:
            matchExpressions:
              - key: app.kubernetes.io/component
                operator: In
                values:
                  - reports-controller
          topologyKey: kubernetes.io/hostname

  # -- Pod affinity constraints.
  podAffinity: {}

  # -- Node affinity constraints.
  nodeAffinity: {}

  # -- Topology spread constraints.
  topologySpreadConstraints: []

  # -- Security context for the pod
  podSecurityContext: {}

  # -- Security context for the containers
  securityContext:
    runAsNonRoot: true
    privileged: false
    allowPrivilegeEscalation: false
    readOnlyRootFilesystem: true
    capabilities:
      drop:
        - ALL
    seccompProfile:
      type: RuntimeDefault

  podDisruptionBudget:
    # -- Configures the minimum available pods for disruptions.
    # Cannot be used if `maxUnavailable` is set.
    minAvailable: 1
    # -- Configures the maximum unavailable pods for disruptions.
    # Cannot be used if `minAvailable` is set.
    maxUnavailable:

  # -- A writable volume to use for the TUF root initialization.
  tufRootMountPath: /.sigstore

  # -- Volume to be mounted in pods for TUF/cosign work.
  sigstoreVolume:
    emptyDir: {}

  metricsService:
    # -- Create service.
    create: true
    # -- Service port.
    # Metrics server will be exposed at this port.
    port: 8000
    # -- Service type.
    type: ClusterIP
    # -- (string) Service node port.
    # Only used if `type` is `NodePort`.
    nodePort: ~
    # -- Service annotations.
    annotations: {}

  networkPolicy:

    # -- When true, use a NetworkPolicy to allow ingress to the webhook
    # This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
    enabled: false

    # -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
    ingressFrom: []

  serviceMonitor:
    # -- Create a `ServiceMonitor` to collect Prometheus metrics.
    enabled: false
    # -- Additional labels
    additionalLabels: {}
    # -- (string) Override namespace
    namespace: ~
    # -- Interval to scrape metrics
    interval: 30s
    # -- Timeout if metrics can't be retrieved in given time interval
    scrapeTimeout: 25s
    # -- Is TLS required for endpoint
    secure: false
    # -- TLS Configuration for endpoint
    tlsConfig: {}
    # -- RelabelConfigs to apply to samples before scraping
    relabelings: []
    # -- MetricRelabelConfigs to apply to samples before ingestion.
    metricRelabelings: []

  tracing:
    # -- Enable tracing
    enabled: false
    # -- (string) Traces receiver address
    address: ~
    # -- (string) Traces receiver port
    port: ~
    # -- (string) Traces receiver credentials
    creds: ~

  metering:
    # -- Disable metrics export
    disabled: false
    # -- Otel configuration, can be `prometheus` or `grpc`
    config: prometheus
    # -- Prometheus endpoint port
    port: 8000
    # -- (string) Otel collector endpoint
    collector: ~
    # -- (string) Otel collector credentials
    creds: ~