mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-06 16:06:56 +00:00
147 lines
4.6 KiB
YAML
147 lines
4.6 KiB
YAML
nameOverride:
|
|
fullnameOverride:
|
|
namespace:
|
|
# Supported- default/restricted/privileged
|
|
# For more info- https://kyverno.io/policies/pod-security
|
|
podSecurityStandard: default
|
|
|
|
rbac:
|
|
create: true
|
|
serviceAccount:
|
|
create: true
|
|
name:
|
|
annotations: {}
|
|
# example.com/annotation: value
|
|
|
|
image:
|
|
repository: ghcr.io/kyverno/kyverno
|
|
# Defaults to appVersion in Chart.yaml if omitted
|
|
tag:
|
|
pullPolicy: IfNotPresent
|
|
pullSecrets: []
|
|
# - secretName
|
|
initImage:
|
|
repository: ghcr.io/kyverno/kyvernopre
|
|
# If initImage.tag is missing, defaults to image.tag
|
|
tag:
|
|
# If initImage.pullPolicy is missing, defaults to image.pullPolicy
|
|
pullPolicy:
|
|
# No pull secrets just for initImage; just add to image.pullSecrets
|
|
|
|
replicaCount: 1
|
|
|
|
podLabels: {}
|
|
# example.com/label: foo
|
|
|
|
podAnnotations: {}
|
|
# example.com/annotation: foo
|
|
|
|
podSecurityContext: {}
|
|
|
|
affinity: {}
|
|
nodeSelector: {}
|
|
tolerations: []
|
|
|
|
# change hostNetwork to true when you want the kyverno's pod to share its host's network namespace
|
|
# useful for situations like when you end up dealing with a custom CNI over Amazon EKS
|
|
# update the 'dnsPolicy' accordingly as well to suit the host network mode
|
|
hostNetwork: false
|
|
|
|
# dnsPolicy determines the manner in which DNS resolution happens in the cluster
|
|
# in case of hostNetwork: true, usually, the dnsPolicy is suitable to be "ClusterFirstWithHostNet"
|
|
# for further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
|
|
dnsPolicy: "ClusterFirst"
|
|
|
|
extraArgs: []
|
|
# - --webhooktimeout=4
|
|
|
|
resources:
|
|
limits:
|
|
memory: 256Mi
|
|
requests:
|
|
cpu: 100m
|
|
memory: 50Mi
|
|
|
|
## Liveness Probe. The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want.
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
|
|
##
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /health/liveness
|
|
port: 9443
|
|
scheme: HTTPS
|
|
initialDelaySeconds: 10
|
|
periodSeconds: 10
|
|
timeoutSeconds: 5
|
|
failureThreshold: 2
|
|
successThreshold: 1
|
|
|
|
## Readiness Probe. The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want.
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
|
|
##
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /health/readiness
|
|
port: 9443
|
|
scheme: HTTPS
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 10
|
|
timeoutSeconds: 5
|
|
failureThreshold: 6
|
|
successThreshold: 1
|
|
|
|
# TODO(mbarrien): Should we just list all resources for the
|
|
# generatecontroller in here rather than having defaults hard-coded?
|
|
generatecontrollerExtraResources:
|
|
# - ResourceA
|
|
# - ResourceB
|
|
|
|
config:
|
|
# resource types to be skipped by kyverno policy engine
|
|
# Make sure to surround each entry in quotes so that it doesn't get parsed
|
|
# as a nested YAML list. These are joined together without spaces in the configmap
|
|
resourceFilters:
|
|
- "[Event,*,*]"
|
|
- "[*,kube-system,*]"
|
|
- "[*,kube-public,*]"
|
|
- "[*,kube-node-lease,*]"
|
|
- "[Node,*,*]"
|
|
- "[APIService,*,*]"
|
|
- "[TokenReview,*,*]"
|
|
- "[SubjectAccessReview,*,*]"
|
|
- "[*,kyverno,*]"
|
|
- "[Binding,*,*]"
|
|
- "[ReplicaSet,*,*]"
|
|
- "[ReportChangeRequest,*,*]"
|
|
- "[ClusterReportChangeRequest,*,*]"
|
|
# Or give the name of an existing config map (ignores default/provided resourceFilters)
|
|
existingConfig: ''
|
|
excludeGroupRole:
|
|
# - ""
|
|
excludeUsername:
|
|
# - ""
|
|
# existingConfig: init-config
|
|
|
|
service:
|
|
port: 443
|
|
type: ClusterIP
|
|
# Only used if service.type is NodePort
|
|
nodePort:
|
|
## Provide any additional annotations which may be required. This can be used to
|
|
## set the LoadBalancer service type to internal only.
|
|
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
|
|
##
|
|
annotations: {}
|
|
|
|
# Kyverno requires a certificate key pair and corresponding certificate authority
|
|
# to properly register its webhooks. This can be done in one of 3 ways:
|
|
# 1) Use kube-controller-manager to generate a CA-signed certificate (preferred)
|
|
# 2) Provide your own CA and cert.
|
|
# In this case, you will need to create a certificate with a specific name and data structure.
|
|
# As long as you follow the naming scheme, it will be automatically picked up.
|
|
# kyverno-svc.(namespace).svc.kyverno-tls-ca (with data entry named rootCA.crt)
|
|
# kyverno-svc.kyverno.svc.kyverno-tls-pair (with data entries named tls.key and tls.crt)
|
|
# 3) Let Helm generate a self signed cert, by setting createSelfSignedCert true
|
|
# If letting Kyverno create its own CA or providing your own, make createSelfSignedCert is false
|
|
createSelfSignedCert: false
|
|
|