diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md index 1921ed4cb0..f2b326e628 100644 --- a/charts/kyverno/README.md +++ b/charts/kyverno/README.md @@ -67,11 +67,11 @@ The following table lists the configurable parameters of the kyverno chart and t | `affinity` | node/pod affinities | `nil` | | `createSelfSignedCert` | generate a self signed cert and certificate authority. Kyverno defaults to using kube-controller-manager CA-signed certificate or existing cert secret if false. | `false` | | `config.existingConfig` | existing Kubernetes configmap to use for the resource filters configuration | `nil` | -| `config.resourceFilters` | list of filter of resource types to be skipped by kyverno policy engine. See [documentation](https://github.com/kyverno/kyverno/blob/master/documentation/installation.md#filter-kubernetes-resources-that-admission-webhook-should-not-process) for details | `["[Event,*,*]","[*,kube-system,*]","[*,kube-public,*]","[*,kube-node-lease,*]","[Node,*,*]","[APIService,*,*]","[TokenReview,*,*]","[SubjectAccessReview,*,*]","[*,kyverno,*]"]` | -| `config.webhooks` | customize webhook configurations for both MutatingWebhookConfiguration and ValidatingWebhookConfiguration of Kubernetes resources, only `namesapceSelector` can be configured with Kyverno v1.4.0 | `nil` | -| customLabels | object | `{}` | Additional labels | -| `dnsPolicy` | Sets the DNS Policy which determines the manner in which DNS resolution happens across the cluster. For further reference, see [the official docs](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) | `ClusterFirst` | -| envVars | Extra environment variables to pass to kyverno | {} | +| `config.resourceFilters` | list of resource types to be skipped by kyverno policy engine. See [documentation](https://kyverno.io/docs/installation/#resource-filters) for details | `[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*]` | +| `config.webhooks` | customize webhook configurations for both MutatingWebhookConfiguration and ValidatingWebhookConfiguration of Kubernetes resources, only `namespaceSelector` can be configured with Kyverno v1.4.0 | `nil` | +| `customLabels` | Additional labels | `{}` +| `dnsPolicy` | Sets the DNS Policy which determines the manner in which DNS resolution happens across the cluster. For further reference, see [the official Kubernetes docs](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) | `ClusterFirst` | +| `envVars` | Extra environment variables to pass to Kyverno | {} | | `extraArgs` | list of extra arguments to give the binary | `[]` | | `fullnameOverride` | override the expanded name of the chart | `nil` | | `generatecontrollerExtraResources` | extra resource type Kyverno is allowed to generate | `[]` | @@ -91,23 +91,23 @@ The following table lists the configurable parameters of the kyverno chart and t | `podLabels` | additional labels to add to each pod | `{}` | | `podSecurityContext` | security context for the pod | `{}` | | `priorityClassName` | priorityClassName | `nil` | -| `rbac.create` | create cluster roles, cluster role bindings, and service account | `true` | -| `rbac.serviceAccount.create` | create a service account | `true` | -| `rbac.serviceAccount.name` | the service account name | `nil` | -| `rbac.serviceAccount.annotations` | annotations for the service account | `{}` | +| `rbac.create` | create ClusterRoles, ClusterRoleBindings, and ServiceAccount | `true` | +| `rbac.serviceAccount.create` | create a ServiceAccount | `true` | +| `rbac.serviceAccount.name` | the ServiceAccount name | `nil` | +| `rbac.serviceAccount.annotations` | annotations for the ServiceAccount | `{}` | | `readinessProbe` | readiness probe configuration | `{}` | | `replicaCount` | desired number of pods | `1` | -| `resources` | pod resource requests & limits | `{}` | +| `resources` | pod resource requests and limits | `{}` | | `service.annotations` | annotations to add to the service | `{}` | | `service.nodePort` | node port | `nil` | | `service.port` | port for the service | `443` | | `service.type` | type of service | `ClusterIP` | | `tolerations` | list of node taints to tolerate | `[]` | | `securityContext` | security context configuration | `{}` | -| `podSecurityStandard` | set desired pod security level `privileged`, `baseline`, `restricted`, `custom`. Set to `restricted` for maximum security for your cluster. See: https://kyverno.io/policies/pod-security/ | `baseline` | +| `podSecurityStandard` | set desired pod security level `privileged`, `default`, `restricted`, `custom`. Set to `restricted` for maximum security for your cluster. See: https://kyverno.io/policies/pod-security/ | `baseline` | | `podSecuritySeverity` | set desired pod security severity `low`, `medium`, `high`. Used severity level in PolicyReportResults for the selected pod security policies. | `medium` | | `podSecurityPolicies` | Policies to include when `podSecurityStandard` is set to `custom` | `[]` | -| `validationFailureAction` | set to get response in failed validation check. Supported values- `audit`, `enforce`. See: https://kyverno.io/docs/writing-policies/validate/ | `audit` | +| `validationFailureAction` | set to get response in failed validation check. Supported values are `audit` and `enforce`. See: https://kyverno.io/docs/writing-policies/validate/ | `audit` | Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, @@ -126,11 +126,10 @@ $ helm install --namespace kyverno kyverno ./charts/kyverno -f values.yaml ## TLS Configuration -If `createSelfSignedCert` is `true`, Helm will take care of the steps of creating an external self-signed certificate describe in option 2 of the [installation documentation](https://github.com/kyverno/kyverno/blob/master/documentation/installation.md#option-2-use-your-own-ca-signed-certificate) +If `createSelfSignedCert` is `true`, Helm will take care of the steps of creating an external self-signed certificate described in option 2 of the [installation documentation](https://kyverno.io/docs/installation/#option-2-use-your-own-ca-signed-certificate) -If `createSelfSignedCert` is `false`, Kyverno will generate a self-signed CA and a certificate, or you can provide your own TLS CA and signed-key pair and create the secret yourself as described in the documentation. +If `createSelfSignedCert` is `false`, Kyverno will generate a self-signed CA and a certificate, or you can provide your own TLS CA and signed-key pair and create the secret yourself as described in the [documentation](https://kyverno.io/docs/installation/#customize-the-installation-of-kyverno). ## Kyverno CLI See: https://kyverno.io/docs/kyverno-cli/ -