4c99b51fb7
* - remove github releaser - add app version in Helm notes Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update chart var Signed-off-by: Shuting Zhao <shutting06@gmail.com> |
||
|---|---|---|
| .. | ||
| crds | ||
| templates | ||
| Chart.yaml | ||
| README.md | ||
| values.yaml | ||
Kyverno
Kyverno is a Kubernetes Native Policy Management engine. It allows you to:
- Manage policies as Kubernetes resources (no new language required.)
- Validate, mutate, and generate resource configurations.
- Select resources based on labels and wildcards.
- View policy enforcement as events.
- Scan existing resources for violations.
Access the complete user documentation and guides at: https://kyverno.io.
TL;DR
## Add the Kyverno Helm repository
$ helm repo add kyverno https://kyverno.github.io/kyverno/
## Install the Kyverno Helm chart
$ helm install kyverno --namespace kyverno kyverno/kyverno --create-namespace
Introduction
This chart bootstraps a Kyverno deployment on a Kubernetes cluster using the Helm package manager.
Installing the Chart
Add the Kyverno Helm repository:
$ helm repo add kyverno https://kyverno.github.io/kyverno/
Create a namespace:
You can install Kyverno in any namespace. The examples use kyverno as the namespace.
$ kubectl create namespace kyverno
Install the Kyverno chart:
$ helm install kyverno --namespace kyverno kyverno ./charts/kyverno
The command deploys Kyverno on the Kubernetes cluster with default configuration. The installation guide lists the parameters that can be configured during installation.
Uninstalling the Chart
To uninstall/delete the kyverno deployment:
$ helm delete -n kyverno kyverno
The command removes all the Kubernetes components associated with the chart and deletes the release.
Configuration
The following table lists the configurable parameters of the kyverno chart and their default values.
| Parameter | Description | Default |
|---|---|---|
affinity |
node/pod affinities | nil |
topologySpreadConstraints |
node/pod topology spread constrains | [] |
createSelfSignedCert |
generate a self signed cert and certificate authority. Kyverno defaults to using kube-controller-manager CA-signed certificate or existing cert secret if false. | false |
config.existingConfig |
existing Kubernetes configmap to use for the resource filters configuration | nil |
config.resourceFilters |
list of resource types to be skipped by kyverno policy engine. See documentation for details | [Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*] |
config.webhooks |
customize webhook configurations for both MutatingWebhookConfiguration and ValidatingWebhookConfiguration of Kubernetes resources, only namespaceSelector can be configured with Kyverno v1.4.0 |
nil |
customLabels |
Additional labels | {} |
dnsPolicy |
Sets the DNS Policy which determines the manner in which DNS resolution happens across the cluster. For further reference, see the official Kubernetes docs | ClusterFirst |
envVarsInit |
Extra environment variables to pass to kyverno initContainers | |
envVars |
Extra environment variables to pass to Kyverno | {} |
extraArgs |
list of extra arguments to give the binary | [] |
fullnameOverride |
override the expanded name of the chart | nil |
generatecontrollerExtraResources |
extra resource type Kyverno is allowed to generate | [] |
hostNetwork |
Use the host network's namespace. Set it to true when dealing with a custom CNI over Amazon EKS |
false |
image.pullPolicy |
Image pull policy | IfNotPresent |
image.pullSecrets |
Specify image pull secrets | [] (does not add image pull secrets to deployed pods) |
image.repository |
Image repository | ghcr.io/kyverno/kyverno |
image.tag |
Image tag | nil |
initImage.pullPolicy |
Init image pull policy | nil |
initImage.repository |
Init image repository | ghcr.io/kyverno/kyvernopre |
initImage.tag |
Init image tag | nil |
livenessProbe |
liveness probe configuration | {} |
nameOverride |
override the name of the chart | nil |
namespace |
namespace the chart deploy to | nil |
nodeSelector |
node labels for pod assignment | {} |
podAnnotations |
annotations to add to each pod | {} |
podLabels |
additional labels to add to each pod | {} |
podSecurityContext |
security context for the pod | {} |
priorityClassName |
priorityClassName | nil |
rbac.create |
create ClusterRoles, ClusterRoleBindings, and ServiceAccount | true |
rbac.serviceAccount.create |
create a ServiceAccount | true |
rbac.serviceAccount.name |
the ServiceAccount name | nil |
rbac.serviceAccount.annotations |
annotations for the ServiceAccount | {} |
readinessProbe |
readiness probe configuration | {} |
replicaCount |
desired number of pods | 1 |
resources |
pod resource requests and limits | {} |
service.annotations |
annotations to add to the service | {} |
service.nodePort |
node port | nil |
service.port |
port for the service | 443 |
service.type |
type of service | ClusterIP |
serviceMonitor.enabled |
create a ServiceMonitor(Requires Prometheus) | false |
serviceMonitor.additionalLabels |
additional labels to add for ServiceMonitor | nil |
| serviceMonitor.interval | interval to scrape metrics | 30s |
| serviceMonitor.scrapeTimeout | timeout if metrics can't be retrieved in given time interval | 25s |
| serviceMonitor.secure | is TLS required for endpoint | false |
| serviceMonitor.tlsConfig | TLS Configuration for endpoint | [] |
| tolerations | list of node taints to tolerate | [] |
| securityContext | security context configuration | {} |
| podSecurityStandard | set desired pod security level privileged, baseline, restricted, custom. Set to restricted for maximum security for your cluster. See: https://kyverno.io/policies/pod-security/ | baseline |
| podSecuritySeverity | set desired pod security severity low, medium, high. Used severity level in PolicyReportResults for the selected pod security policies. | medium |
| podSecurityPolicies | Policies to include when podSecurityStandard is set to custom | [] |
| validationFailureAction | set to get response in failed validation check. Supported values are audit and enforce. See: https://kyverno.io/docs/writing-policies/validate/ | audit |
Specify each parameter using the --set key=value[,key=value] argument to helm install. For example,
$ helm install --namespace kyverno kyverno ./charts/kyverno \
--set=image.tag=v0.0.2,resources.limits.cpu=200m
Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,
$ helm install --namespace kyverno kyverno ./charts/kyverno -f values.yaml
Tip: You can use the default values.yaml
TLS Configuration
If createSelfSignedCert is true, Helm will take care of the steps of creating an external self-signed certificate described in option 2 of the installation documentation
If createSelfSignedCert is false, Kyverno will generate a self-signed CA and a certificate, or you can provide your own TLS CA and signed-key pair and create the secret yourself as described in the documentation.