2022-02-25 17:22:00 +01:00
|
|
|
# -- Pod Security Standard profile (`baseline`, `restricted`, `privileged`, `custom`).
|
|
|
|
|
# For more info https://kyverno.io/policies/pod-security.
|
2021-09-22 16:56:10 -04:00
|
|
|
podSecurityStandard: baseline
|
2022-02-25 17:22:00 +01:00
|
|
|
|
|
|
|
|
# -- Pod Security Standard (`low`, `medium`, `high`).
|
2021-09-22 16:56:10 -04:00
|
|
|
podSecuritySeverity: medium
|
2022-02-25 17:22:00 +01:00
|
|
|
|
|
|
|
|
# -- Policies to include when `podSecurityStandard` is `custom`.
|
2021-09-22 16:56:10 -04:00
|
|
|
podSecurityPolicies: []
|
2022-02-25 17:22:00 +01:00
|
|
|
|
|
|
|
|
# -- Additional policies to include from `other`.
|
2022-02-04 01:47:36 -05:00
|
|
|
includeOtherPolicies: []
|
2022-02-25 17:22:00 +01:00
|
|
|
# - require-non-root-groups
|
|
|
|
|
|
|
|
|
|
# -- Validation failure action (`audit`, `enforce`).
|
|
|
|
|
# For more info https://kyverno.io/docs/writing-policies/validate.
|
2021-09-22 16:56:10 -04:00
|
|
|
validationFailureAction: audit
|
2022-02-25 17:22:00 +01:00
|
|
|
|
|
|
|
|
# -- Define validationFailureActionOverrides for specific policies.
|
|
|
|
|
# The overrides for `all` will apply to all policies.
|
2022-02-09 03:24:35 -05:00
|
|
|
validationFailureActionOverrides:
|
|
|
|
|
all: []
|
2022-02-25 17:22:00 +01:00
|
|
|
# all:
|
|
|
|
|
# - action: audit
|
|
|
|
|
# namespaces:
|
|
|
|
|
# - ingress-nginx
|
|
|
|
|
# disallow-host-path:
|
|
|
|
|
# - action: audit
|
|
|
|
|
# namespaces:
|
|
|
|
|
# - fluent
|
|
|
|
|
|
|
|
|
|
# -- Exclude resources from individual policies.
|
|
|
|
|
# Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyExclude` map.
|
2022-02-04 01:47:36 -05:00
|
|
|
policyExclude: {}
|
2022-02-25 17:22:00 +01:00
|
|
|
# # Exclude resources from individual policies
|
|
|
|
|
# disallow-host-path:
|
|
|
|
|
# any:
|
|
|
|
|
# - resources:
|
|
|
|
|
# kinds:
|
|
|
|
|
# - Pod
|
|
|
|
|
# namespaces:
|
|
|
|
|
# - fluent
|
|
|
|
|
# # Policies with multiple rules can have individual rules excluded
|
|
|
|
|
# adding-capabilities-strict:
|
|
|
|
|
# any:
|
|
|
|
|
# - resources:
|
|
|
|
|
# kinds:
|
|
|
|
|
# - Pod
|
|
|
|
|
# namespaces:
|
|
|
|
|
# - kube-system
|
2022-04-18 13:59:47 -04:00
|
|
|
# -- Add preconditions to individual policies.
|
|
|
|
|
# Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyPreconditions` map.
|
|
|
|
|
policyPreconditions: {}
|
|
|
|
|
# # Exclude resources from individual policies
|
|
|
|
|
# require-run-as-non-root-user:
|
2022-04-26 23:52:45 -04:00
|
|
|
# all:
|
2022-04-18 13:59:47 -04:00
|
|
|
# - key: "{{ request.object.metadata.name }}"
|
|
|
|
|
# operator: NotEquals
|
|
|
|
|
# value: "dcgm-exporter*"
|
|
|
|
|
# # Policies with multiple rules can have individual rules excluded
|
2022-04-26 23:52:45 -04:00
|
|
|
# require-drop-all:
|
|
|
|
|
# any:
|
|
|
|
|
# - key: "{{ request.object.metadata.name }}"
|
|
|
|
|
# operator: NotEquals
|
|
|
|
|
# value: "dcgm-exporter*"
|
2022-04-18 13:59:47 -04:00
|
|
|
# adding-capabilities-strict:
|
2022-04-26 23:52:45 -04:00
|
|
|
# all:
|
|
|
|
|
# - key: "{{ request.object.metadata.name }}"
|
|
|
|
|
# operator: NotEquals
|
|
|
|
|
# value: "dcgm-exporter*"
|
2021-09-22 16:56:10 -04:00
|
|
|
|
2022-02-25 17:22:00 +01:00
|
|
|
# -- Name override.
|
2021-09-22 16:56:10 -04:00
|
|
|
nameOverride:
|
2022-02-25 17:22:00 +01:00
|
|
|
|
|
|
|
|
# -- Additional labels.
|
2021-09-22 16:56:10 -04:00
|
|
|
customLabels: {}
|
2022-02-25 17:22:00 +01:00
|
|
|
|
|
|
|
|
# -- Policies background mode
|
2022-02-24 17:31:51 +01:00
|
|
|
background: true
|
