mirror of
https://github.com/kyverno/policy-reporter.git
synced 2024-12-14 11:57:32 +00:00
27b04d0e0e
Signed-off-by: Frank Jogeleit <frank.jogeleit@web.de> |
||
---|---|---|
.. | ||
configs | ||
templates | ||
Chart.yaml | ||
README.md | ||
README.md.gotmpl | ||
values.yaml |
policy-reporter
Policy Reporter watches for PolicyReport Resources. It creates Prometheus Metrics and can send rule validation events to different targets like Loki, Elasticsearch, Slack or Discord
Documentation
You can find detailed Information and Screens about Features and Configurations in the Documentation.
Installation with Helm v3
Installation via Helm Repository
Add the Helm repository
helm repo add policy-reporter https://kyverno.github.io/policy-reporter
helm repo update
Basic Installation
The basic installation provides an Prometheus Metrics Endpoint and different REST APIs, for more details have a look at the Documentation.
helm install policy-reporter policy-reporter/policy-reporter -n policy-reporter --create-namespace
Policy Reporter UI
You can use the Policy Reporter as standalone Application along with the optional UI SubChart.
Installation with Policy Reporter UI and Kyverno Plugin enabled
helm install policy-reporter policy-reporter/policy-reporter --set plugin.kyverno.enabled=true --set ui.enabled=true -n policy-reporter --create-namespace
kubectl port-forward service/policy-reporter-ui 8082:8080 -n policy-reporter
Open http://localhost:8082/
in your browser.
Values
Key | Type | Default | Description |
---|---|---|---|
nameOverride | string | "" |
Override the chart name used for all resources |
fullnameOverride | string | "policy-reporter" |
Overwrite the fullname of all resources |
namespaceOverride | string | "" |
Overwrite the namespace of all resources |
image.registry | string | "ghcr.io" |
Image registry |
image.repository | string | "kyverno/policy-reporter" |
Image repository |
image.pullPolicy | string | "IfNotPresent" |
Image pullPolicy |
image.tag | string | "3.0.0-rc.1" |
Image tag |
imagePullSecrets | list | [] |
Image pullSecrets |
priorityClassName | string | "" |
Deployment priorityClassName |
replicaCount | int | 1 |
Deployment replica count |
revisionHistoryLimit | int | 10 |
The number of revisions to keep |
updateStrategy | object | {} |
Deployment strategy |
port | object | {"name":"http","number":8080} |
Container port |
annotations | object | {} |
Key/value pairs that are attached to all resources. |
rbac.enabled | bool | true |
Create RBAC resources |
serviceAccount.create | bool | true |
Create ServiceAccount |
serviceAccount.automount | bool | true |
Enable ServiceAccount automaount |
serviceAccount.annotations | object | {} |
Annotations for the ServiceAccount |
serviceAccount.name | string | "" |
The ServiceAccount name |
service.enabled | bool | true |
Create Service |
service.type | string | "ClusterIP" |
Service type |
service.port | int | 8080 |
Service port |
service.annotations | object | {} |
Service annotations |
service.labels | object | {} |
Service labels |
podSecurityContext | object | {"fsGroup":1234} |
Security context for the pod |
securityContext.runAsUser | int | 1234 |
|
securityContext.runAsNonRoot | bool | true |
|
securityContext.privileged | bool | false |
|
securityContext.allowPrivilegeEscalation | bool | false |
|
securityContext.readOnlyRootFilesystem | bool | true |
|
securityContext.capabilities.drop[0] | string | "ALL" |
|
securityContext.seccompProfile.type | string | "RuntimeDefault" |
|
podAnnotations | object | {} |
Additional annotations to add to each pod |
podLabels | object | {} |
Additional labels to add to each pod |
resources | object | {} |
Resource constraints |
networkPolicy.enabled | bool | false |
Create NetworkPolicy |
networkPolicy.egress | list | [{"ports":[{"port":6443,"protocol":"TCP"}],"to":null}] |
Egress rule to allowe Kubernetes API Server access |
networkPolicy.ingress | list | [] |
|
ingress.enabled | bool | false |
Create Ingress This ingress exposes the policy-reporter core app. |
ingress.className | string | "" |
Ingress className |
ingress.labels | object | {} |
Labels for the Ingress |
ingress.annotations | object | {} |
Annotations for the Ingress |
ingress.hosts | string | nil |
Ingress host list |
ingress.tls | list | [] |
Ingress tls list |
logging.server | bool | false |
Enables server access logging |
logging.encoding | string | "console" |
Log encoding possible encodings are console and json |
logging.logLevel | int | 0 |
Log level default info |
rest.enabled | bool | false |
Enables the REST API |
metrics.enabled | bool | false |
Enables Prometheus Metrics |
metrics.mode | string | "detailed" |
Metric Mode allowes to customize labels Allowed values: detailed, simple, custom |
metrics.customLabels | list | [] |
List of used labels in custom mode Supported fields are: ["namespace", "rule", "policy", "report" // PolicyReport name, "kind" // resource kind, "name" // resource name, "status", "severity", "category", "source"] |
metrics.filter | object | {} |
Filter results to reduce cardinality |
profiling.enabled | bool | false |
Enable profiling with pprof |
worker | int | 5 |
Amount of queue workers for PolicyReport resource processing |
reportFilter | object | {} |
Filter PolicyReport resources to process |
sourceConfig | list | [] |
Customize source specific logic like result ID generation |
sourceFilters[0].selector.source | string | "kyverno" |
select PolicyReport by source |
sourceFilters[0].uncontrolledOnly | bool | true |
Filter out PolicyReports of controlled Pods and Jobs, only works for PolicyReport with scope resource |
sourceFilters[0].disableClusterReports | bool | false |
Filter out ClusterPolicyReports |
sourceFilters[0].kinds | object | {"exclude":["ReplicaSet"]} |
Filter out PolicyReports based on the scope resource kind |
global.labels | object | {} |
additional labels added on each resource |
basicAuth.username | string | "" |
HTTP BasicAuth username |
basicAuth.password | string | "" |
HTTP BasicAuth password |
basicAuth.secretRef | optional | "" |
Secret reference to get username and/or password from |
emailReports.clusterName | optional | "" |
- Displayed in the email report if configured |
emailReports.titlePrefix | string | "Report" |
Title prefix in the email subject |
emailReports.resources | object | {} |
Resource constraints for the created CronJobs |
emailReports.smtp.secret | optional | "" |
Secret reference to provide the complete or partial SMTP configuration |
emailReports.smtp.host | string | "" |
SMTP Server Host |
emailReports.smtp.port | int | 465 |
SMTP Server Port |
emailReports.smtp.username | string | "" |
SMTP Username |
emailReports.smtp.password | string | "" |
SMTP Password |
emailReports.smtp.from | string | "" |
Displayed from email address |
emailReports.smtp.encryption | string | "" |
SMTP Encryption Default is none, supports ssl/tls and starttls |
emailReports.smtp.skipTLS | bool | false |
Skip SMTP TLS verification |
emailReports.smtp.certificate | string | "" |
SMTP Server Certificate file path |
emailReports.summary.enabled | bool | false |
Enable Summary E-Mail reports |
emailReports.summary.schedule | string | "0 8 * * *" |
CronJob schedule |
emailReports.summary.activeDeadlineSeconds | int | 300 |
CronJob activeDeadlineSeconds |
emailReports.summary.backoffLimit | int | 3 |
CronJob backoffLimit |
emailReports.summary.ttlSecondsAfterFinished | int | 0 |
CronJob ttlSecondsAfterFinished |
emailReports.summary.restartPolicy | string | "Never" |
CronJob restartPolicy |
emailReports.summary.to | list | [] |
List of receiver email addresses |
emailReports.summary.filter | optional | {} |
Report filter |
emailReports.summary.channels | optional | [] |
Channels can be used to to send only a subset of namespaces / sources to dedicated email addresses |
emailReports.violations.enabled | bool | false |
Enable Violation Summary E-Mail reports |
emailReports.violations.schedule | string | "0 8 * * *" |
CronJob schedule |
emailReports.violations.activeDeadlineSeconds | int | 300 |
CronJob activeDeadlineSeconds |
emailReports.violations.backoffLimit | int | 3 |
CronJob backoffLimit |
emailReports.violations.ttlSecondsAfterFinished | int | 0 |
CronJob ttlSecondsAfterFinished |
emailReports.violations.restartPolicy | string | "Never" |
CronJob restartPolicy |
emailReports.violations.to | list | [] |
List of receiver email addresses |
emailReports.violations.filter | optional | {} |
Report filter |
emailReports.violations.channels | optional | [] |
Channels can be used to to send only a subset of namespaces / sources to dedicated email addresses |
existingTargetConfig.enabled | bool | false |
Use an already existing configuration |
existingTargetConfig.name | string | "" |
Name of the secret with the config |
existingTargetConfig.subPath | string | "" |
SubPath within the secret (defaults to config.yaml) |
target.loki.host | string | "" |
Host Address |
target.loki.path | string | "" |
Loki API, defaults to "/loki/api/v1/push" |
target.loki.certificate | string | "" |
Server Certificate file path Can be added under extraVolumes |
target.loki.skipTLS | bool | false |
Skip TLS verification |
target.loki.secretRef | string | "" |
Read configuration from an already existing Secret |
target.loki.mountedSecret | string | "" |
Mounted secret path by Secrets Controller, secret should be in json format |
target.loki.minimumSeverity | string | "" |
Minimum severity: "" < info < low < medium < high < critical |
target.loki.sources | list | [] |
List of sources which should send |
target.loki.skipExistingOnStartup | bool | true |
Skip already existing PolicyReportResults on startup |
target.loki.customFields | object | {} |
Added as additional labels |
target.loki.headers | object | {} |
Additional HTTP Headers |
target.loki.username | string | "" |
HTTP BasicAuth username |
target.loki.password | string | "" |
HTTP BasicAuth password |
target.loki.filter | object | {} |
Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI |
target.loki.channels | list | [] |
List of channels to route results to different configurations |
target.elasticsearch.host | string | "" |
Host address |
target.elasticsearch.certificate | string | "" |
Server Certificate file path Can be added under extraVolumes |
target.elasticsearch.skipTLS | bool | false |
Skip TLS verification |
target.elasticsearch.index | string | "policy-reporter" |
Elasticsearch index (default: policy-reporter) |
target.elasticsearch.rotation | string | "daily" |
Elasticsearch index rotation and index suffix Possible values: daily, monthly, annually, none (default: daily) |
target.elasticsearch.typelessApi | bool | false |
Enables Elasticsearch typless API https://www.elastic.co/blog/moving-from-types-to-typeless-apis-in-elasticsearch-7-0 keeping as false for retrocompatibility. |
target.elasticsearch.username | string | "" |
HTTP BasicAuth username |
target.elasticsearch.password | string | "" |
HTTP BasicAuth password |
target.elasticsearch.apiKey | string | "" |
Elasticsearch API Key for api key authentication |
target.elasticsearch.secretRef | string | "" |
Read configuration from an already existing Secret |
target.elasticsearch.mountedSecret | string | "" |
Mounted secret path by Secrets Controller, secret should be in json format |
target.elasticsearch.minimumSeverity | string | "" |
Minimum severity: "" < info < low < medium < high < critical |
target.elasticsearch.sources | list | [] |
List of sources which should send |
target.elasticsearch.skipExistingOnStartup | bool | true |
Skip already existing PolicyReportResults on startup |
target.elasticsearch.customFields | object | {} |
Added as additional labels |
target.elasticsearch.filter | object | {} |
Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI |
target.elasticsearch.channels | list | [] |
List of channels to route results to different configurations |
target.slack.webhook | string | "" |
Webhook Address |
target.slack.channel | string | "" |
Slack Channel |
target.slack.secretRef | string | "" |
Read configuration from an already existing Secret |
target.slack.mountedSecret | string | "" |
Mounted secret path by Secrets Controller, secret should be in json format |
target.slack.minimumSeverity | string | "" |
Minimum severity: "" < info < low < medium < high < critical |
target.slack.sources | list | [] |
List of sources which should send |
target.slack.skipExistingOnStartup | bool | true |
Skip already existing PolicyReportResults on startup |
target.slack.customFields | object | {} |
Added as additional labels |
target.slack.filter | object | {} |
Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI |
target.slack.channels | list | [] |
List of channels to route results to different configurations |
target.discord.webhook | string | "" |
Webhook Address |
target.discord.secretRef | string | "" |
Read configuration from an already existing Secret |
target.discord.mountedSecret | string | "" |
Mounted secret path by Secrets Controller, secret should be in json format |
target.discord.minimumSeverity | string | "" |
Minimum severity: "" < info < low < medium < high < critical |
target.discord.sources | list | [] |
List of sources which should send |
target.discord.skipExistingOnStartup | bool | true |
Skip already existing PolicyReportResults on startup |
target.discord.customFields | object | {} |
Added as additional labels |
target.discord.filter | object | {} |
Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI |
target.discord.channels | list | [] |
List of channels to route results to different configurations |
target.teams.webhook | string | "" |
Webhook Address |
target.teams.secretRef | string | "" |
Read configuration from an already existing Secret |
target.teams.mountedSecret | string | "" |
Mounted secret path by Secrets Controller, secret should be in json format |
target.teams.minimumSeverity | string | "" |
Minimum severity: "" < info < low < medium < high < critical |
target.teams.sources | list | [] |
List of sources which should send |
target.teams.skipExistingOnStartup | bool | true |
Skip already existing PolicyReportResults on startup |
target.teams.customFields | object | {} |
Added as additional labels |
target.teams.filter | object | {} |
Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI |
target.teams.channels | list | [] |
List of channels to route results to different configurations |
target.webhook.host | string | "" |
Webhook Address |
target.webhook.headers | object | {} |
Additional HTTP Headers |
target.webhook.secretRef | string | "" |
Read configuration from an already existing Secret |
target.webhook.mountedSecret | string | "" |
Mounted secret path by Secrets Controller, secret should be in json format |
target.webhook.minimumSeverity | string | "" |
Minimum severity: "" < info < low < medium < high < critical |
target.webhook.sources | list | [] |
List of sources which should send |
target.webhook.skipExistingOnStartup | bool | true |
Skip already existing PolicyReportResults on startup |
target.webhook.customFields | object | {} |
Added as additional labels |
target.webhook.filter | object | {} |
Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI |
target.webhook.channels | list | [] |
List of channels to route results to different configurations |
target.telegram.token | string | "" |
Telegram bot token |
target.telegram.chatId | string | "" |
Telegram chat id |
target.telegram.host | optional | "" |
Telegram proxy host |
target.telegram.headers | object | {} |
Additional HTTP Headers |
target.telegram.secretRef | string | "" |
Read configuration from an already existing Secret |
target.telegram.mountedSecret | string | "" |
Mounted secret path by Secrets Controller, secret should be in json format |
target.telegram.minimumSeverity | string | "" |
Minimum severity: "" < info < low < medium < high < critical |
target.telegram.sources | list | [] |
List of sources which should send |
target.telegram.skipExistingOnStartup | bool | true |
Skip already existing PolicyReportResults on startup |
target.telegram.customFields | object | {} |
Added as additional labels |
target.telegram.filter | object | {} |
Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI |
target.telegram.channels | list | [] |
List of channels to route results to different configurations |
target.googleChat.webhook | string | "" |
Webhook Address |
target.googleChat.headers | object | {} |
Additional HTTP Headers |
target.googleChat.secretRef | string | "" |
Read configuration from an already existing Secret |
target.googleChat.mountedSecret | string | "" |
Mounted secret path by Secrets Controller, secret should be in json format |
target.googleChat.minimumSeverity | string | "" |
Minimum severity: "" < info < low < medium < high < critical |
target.googleChat.sources | list | [] |
List of sources which should send |
target.googleChat.skipExistingOnStartup | bool | true |
Skip already existing PolicyReportResults on startup |
target.googleChat.customFields | object | {} |
Added as additional labels |
target.googleChat.filter | object | {} |
Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI |
target.googleChat.channels | list | [] |
List of channels to route results to different configurations |
target.s3.accessKeyId | optional | "" |
S3 Access key |
target.s3.secretAccessKey | optional | "" |
S3 SecretAccess key |
target.s3.region | optional | "" |
S3 Storage region |
target.s3.endpoint | optional | "" |
S3 Storage endpoint |
target.s3.bucket | required | "" |
S3 Storage bucket name |
target.s3.bucketKeyEnabled | bool | false |
S3 Storage to use an S3 Bucket Key for object encryption with SSE-KMS |
target.s3.kmsKeyId | string | "" |
S3 Storage KMS Key ID for object encryption with SSE-KMS |
target.s3.serverSideEncryption | string | "" |
S3 Storage server-side encryption algorithm used when storing this object in Amazon S3, AES256, aws:kms |
target.s3.pathStyle | bool | false |
S3 Storage, force path style configuration |
target.s3.prefix | string | "" |
Used prefix, keys will have format: s3:////YYYY-MM-DD/YYYY-MM-DDTHH:mm:ss.s+01:00.json |
target.s3.secretRef | string | "" |
Read configuration from an already existing Secret |
target.s3.mountedSecret | string | "" |
Mounted secret path by Secrets Controller, secret should be in json format |
target.s3.minimumSeverity | string | "" |
Minimum severity: "" < info < low < medium < high < critical |
target.s3.sources | list | [] |
List of sources which should send |
target.s3.skipExistingOnStartup | bool | true |
Skip already existing PolicyReportResults on startup |
target.s3.customFields | object | {} |
Added as additional labels |
target.s3.filter | object | {} |
Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI |
target.s3.channels | list | [] |
List of channels to route results to different configurations |
target.kinesis.accessKeyId | optional | "" |
Access key |
target.kinesis.secretAccessKey | optional | "" |
SecretAccess key |
target.kinesis.region | optional | "" |
Region |
target.kinesis.endpoint | optional | "" |
Endpoint |
target.kinesis.streamName | required | "" |
StreamName |
target.kinesis.secretRef | string | "" |
Read configuration from an already existing Secret |
target.kinesis.mountedSecret | string | "" |
Mounted secret path by Secrets Controller, secret should be in json format |
target.kinesis.minimumSeverity | string | "" |
Minimum severity: "" < info < low < medium < high < critical |
target.kinesis.sources | list | [] |
List of sources which should send |
target.kinesis.skipExistingOnStartup | bool | true |
Skip already existing PolicyReportResults on startup |
target.kinesis.customFields | object | {} |
Added as additional labels |
target.kinesis.filter | object | {} |
Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI |
target.kinesis.channels | list | [] |
List of channels to route results to different configurations |
target.securityHub.accessKeyId | optional | "" |
Access key |
target.securityHub.secretAccessKey | optional | "" |
SecretAccess key |
target.securityHub.region | optional | "" |
Region |
target.securityHub.endpoint | optional | "" |
Endpoint |
target.securityHub.accountId | required | "" |
AccountId |
target.securityHub.productName | optional | "" |
Used product name, defaults to "Polilcy Reporter" |
target.securityHub.companyName | optional | "" |
Used company name, defaults to "Kyverno" |
target.securityHub.synchronize | bool | true |
Enable cleanup listener for SecurityHub |
target.securityHub.delayInSeconds | int | 2 |
Delay between AWS GetFindings API calls, to avoid hitting the API RequestLimit |
target.securityHub.secretRef | string | "" |
Read configuration from an already existing Secret |
target.securityHub.mountedSecret | string | "" |
Mounted secret path by Secrets Controller, secret should be in json format |
target.securityHub.minimumSeverity | string | "" |
Minimum severity: "" < info < low < medium < high < critical |
target.securityHub.sources | list | [] |
List of sources which should send |
target.securityHub.skipExistingOnStartup | bool | true |
Skip already existing PolicyReportResults on startup |
target.securityHub.customFields | object | {} |
Added as additional labels |
target.securityHub.filter | object | {} |
Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI |
target.securityHub.channels | list | [] |
List of channels to route results to different configurations |
target.gcs.credentials | optional | "" |
GCS (Google Cloud Storage) Service Accout Credentials |
target.gcs.bucket | required | "" |
GCS Bucket |
target.gcs.secretRef | string | "" |
Read configuration from an already existing Secret |
target.gcs.mountedSecret | string | "" |
Mounted secret path by Secrets Controller, secret should be in json format |
target.gcs.minimumSeverity | string | "" |
Minimum severity: "" < info < low < medium < high < critical |
target.gcs.sources | list | [] |
List of sources which should send |
target.gcs.skipExistingOnStartup | bool | true |
Skip already existing PolicyReportResults on startup |
target.gcs.customFields | object | {} |
Added as additional labels |
target.gcs.filter | object | {} |
Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI |
target.gcs.channels | list | [] |
List of channels to route results to different configurations |
leaderElection.releaseOnCancel | bool | true |
|
leaderElection.leaseDuration | int | 15 |
|
leaderElection.renewDeadline | int | 10 |
|
leaderElection.retryPeriod | int | 2 |
|
redis.enabled | bool | false |
Enables Redis as external result cache, uses in memory cache by default |
redis.address | string | "" |
Redis host |
redis.database | int | 0 |
Redis database |
redis.prefix | string | "policy-reporter" |
Redis key prefix |
redis.username | optional | "" |
Username |
redis.password | optional | "" |
Password |
database.type | string | "" |
Use an external Database, supported: mysql, postgres, mariadb |
database.database | string | "" |
Database |
database.username | string | "" |
Username |
database.password | string | "" |
Password |
database.host | string | "" |
Host Address |
database.enableSSL | bool | false |
Enables SSL |
database.dsn | string | "" |
Instead of configure the individual values you can also provide an DSN string example postgres: postgres://postgres:password@localhost:5432/postgres?sslmode=disable example mysql: root:password@tcp(localhost:3306)/test?tls=false |
database.secretRef | string | "" |
Read configuration from an existing Secret supported fields: username, password, host, dsn, database |
database.mountedSecret | string | "" |
|
podDisruptionBudget.minAvailable | int | 1 |
Configures the minimum available pods for policy-reporter disruptions. Cannot be used if maxUnavailable is set. |
podDisruptionBudget.maxUnavailable | string | nil |
Configures the maximum unavailable pods for policy-reporter disruptions. Cannot be used if minAvailable is set. |
nodeSelector | object | {} |
Node labels for pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ |
tolerations | list | [] |
Tolerations for pod assignment ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ |
affinity | object | {} |
Anti-affinity to disallow deploying client and master nodes on the same worker node |
topologySpreadConstraints | list | [] |
Topology Spread Constraints to better spread pods |
livenessProbe | object | {"httpGet":{"path":"/ready","port":"http"}} |
Deployment livenessProbe for policy-reporter |
readinessProbe | object | {"httpGet":{"path":"/healthz","port":"http"}} |
Deployment readinessProbe for policy-reporter |
extraVolumes.volumeMounts | list | [] |
Deployment volumeMounts |
extraVolumes.volumes | list | [] |
Deployment values |
sqliteVolume | object | {} |
If set the volume for sqlite is freely configurable below "- name: sqlite". If no value is set an emptyDir is used. |
envVars | list | [] |
Allow additional env variables to be added |
tmpVolume | object | {} |
Allow custom configuration of the /tmp volume |
ui.enabled | bool | false |
Enable Policy Reporter UI |
ui.image.registry | string | "ghcr.io" |
Image registry |
ui.image.repository | string | "kyverno/policy-reporter-ui" |
Image repository |
ui.image.pullPolicy | string | "IfNotPresent" |
Image PullPolicy |
ui.image.tag | string | "2.0.0-rc.1" |
Image tag |
ui.replicaCount | int | 1 |
Deployment replica count |
ui.tempDir | string | "/tmp" |
Temporary Directory to persist session data for authentication |
ui.logging.api | bool | false |
Enables external api request logging |
ui.logging.server | bool | false |
Enables server access logging |
ui.logging.encoding | string | "console" |
Log encoding possible encodings are console and json |
ui.logging.logLevel | int | 0 |
Log level default info |
ui.server.port | int | 8080 |
Application port |
ui.server.cors | bool | true |
Enabled CORS header |
ui.server.overwriteHost | bool | true |
Overwrites Request Host with Proxy Host and adds X-Forwarded-Host and X-Origin-Host headers |
ui.openIDConnect.enabled | bool | false |
Enable openID Connect authentication |
ui.openIDConnect.discoveryUrl | string | "" |
OpenID Connect Discovery URL |
ui.openIDConnect.callbackUrl | string | "" |
OpenID Connect Callback URL |
ui.openIDConnect.clientId | string | "" |
OpenID Connect ClientID |
ui.openIDConnect.clientSecret | string | "" |
OpenID Connect ClientSecret |
ui.openIDConnect.scopes | list | [] |
OpenID Connect allowed Scopes |
ui.openIDConnect.secretRef | string | "" |
Provide OpenID Connect configuration via Secret supported keys: discoveryUrl , clientId , clientSecret |
ui.oauth.enabled | bool | false |
Enable openID Connect authentication |
ui.oauth.provider | string | "" |
OAuth2 Provider supported: amazon, gitlab, github, apple, google, yandex, azuread |
ui.oauth.callbackUrl | string | "" |
OpenID Connect Callback URL |
ui.oauth.clientId | string | "" |
OpenID Connect ClientID |
ui.oauth.clientSecret | string | "" |
OpenID Connect ClientSecret |
ui.oauth.scopes | list | [] |
OpenID Connect allowed Scopes |
ui.oauth.secretRef | string | "" |
Provide OpenID Connect configuration via Secret supported keys: provider , clientId , clientSecret |
ui.banner | string | "" |
optional banner text |
ui.displayMode | string | "" |
DisplayMode dark/light/colorblind/colorblinddark uses the OS configured prefered color scheme as default |
ui.customBoards | list | [] |
Additional customizable dashboards |
ui.sources | list | [] |
source specific configurations |
ui.name | string | "Default" |
|
ui.clusters | list | [] |
Connected Policy Reporter APIs |
ui.imagePullSecrets | list | [] |
Image pull secrets for image verification policies, this will define the --imagePullSecrets argument |
ui.serviceAccount.create | bool | true |
Create ServiceAccount |
ui.serviceAccount.automount | bool | true |
Enable ServiceAccount automaount |
ui.serviceAccount.annotations | object | {} |
Annotations for the ServiceAccount |
ui.serviceAccount.name | string | "" |
The ServiceAccount name |
ui.extraManifests | list | [] |
list of extra manifests |
ui.sidecarContainers | object | {} |
Add sidecar containers to the UI deployment sidecarContainers: oauth-proxy: image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0 args: - --upstream=http://127.0.0.1:8080 - --http-address=0.0.0.0:8081 - ... ports: - containerPort: 8081 name: oauth-proxy protocol: TCP resources: {} |
ui.podAnnotations | object | {} |
Additional annotations to add to each pod |
ui.podLabels | object | {} |
Additional labels to add to each pod |
ui.updateStrategy | object | {} |
Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy |
ui.revisionHistoryLimit | int | 10 |
The number of revisions to keep |
ui.podSecurityContext | object | {"runAsGroup":1234,"runAsUser":1234} |
Security context for the pod |
ui.envVars | list | [] |
Allow additional env variables to be added |
ui.rbac.enabled | bool | true |
Create RBAC resources |
ui.securityContext.runAsUser | int | 1234 |
|
ui.securityContext.runAsNonRoot | bool | true |
|
ui.securityContext.privileged | bool | false |
|
ui.securityContext.allowPrivilegeEscalation | bool | false |
|
ui.securityContext.readOnlyRootFilesystem | bool | true |
|
ui.securityContext.capabilities.drop[0] | string | "ALL" |
|
ui.securityContext.seccompProfile.type | string | "RuntimeDefault" |
|
ui.service.type | string | "ClusterIP" |
Service type. |
ui.service.port | int | 8080 |
Service port. |
ui.service.annotations | object | {} |
Service annotations. |
ui.service.labels | object | {} |
Service labels. |
ui.service.additionalPorts | list | [] |
Additional service ports for e.g. Sidecars # - name: authenticated additionalPorts: - name: authenticated port: 8081 targetPort: 8081 |
ui.ingress.enabled | bool | false |
Create ingress resource. |
ui.ingress.port | string | nil |
Redirect ingress to an additional defined port on the service |
ui.ingress.className | string | "" |
Ingress class name. |
ui.ingress.labels | object | {} |
Ingress labels. |
ui.ingress.annotations | object | {} |
Ingress annotations. |
ui.ingress.hosts | list | [] |
List of ingress host configurations. |
ui.ingress.tls | list | [] |
List of ingress TLS configurations. |
ui.networkPolicy.enabled | bool | false |
When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. |
ui.networkPolicy.egress | list | [{"ports":[{"port":6443,"protocol":"TCP"}]}] |
A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. Enables Kubernetes API Server by default |
ui.networkPolicy.ingress | list | [] |
A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |
ui.resources | object | {} |
Resource constraints |
ui.podDisruptionBudget.minAvailable | int | 1 |
Configures the minimum available pods for kyvernoPlugin disruptions. Cannot be used if maxUnavailable is set. |
ui.podDisruptionBudget.maxUnavailable | string | nil |
Configures the maximum unavailable pods for kyvernoPlugin disruptions. Cannot be used if minAvailable is set. |
ui.nodeSelector | object | {} |
Node labels for pod assignment |
ui.tolerations | list | [] |
List of node taints to tolerate |
ui.affinity | object | {} |
Affinity constraints. |
plugin.kyverno.enabled | bool | false |
Enable Kyverno Plugin |
plugin.kyverno.image.registry | string | "ghcr.io" |
Image registry |
plugin.kyverno.image.repository | string | "kyverno/policy-reporter/kyverno-plugin" |
Image repository |
plugin.kyverno.image.pullPolicy | string | "IfNotPresent" |
Image PullPolicy |
plugin.kyverno.image.tag | string | "0.3.0" |
Image tag Defaults to Chart.AppVersion if omitted |
plugin.kyverno.replicaCount | int | 1 |
Deployment replica count |
plugin.kyverno.logging.api | bool | false |
Enables external API request logging |
plugin.kyverno.logging.server | bool | false |
Enables Server access logging |
plugin.kyverno.logging.encoding | string | "console" |
log encoding possible encodings are console and json |
plugin.kyverno.logging.logLevel | int | 0 |
log level default info |
plugin.kyverno.server.port | int | 8080 |
Application port |
plugin.kyverno.blockReports.enabled | bool | false |
Enables he BlockReport feature |
plugin.kyverno.blockReports.eventNamespace | string | "default" |
Watches for Kyverno Events in the configured namespace leave blank to watch in all namespaces |
plugin.kyverno.blockReports.results.maxPerReport | int | 200 |
Max items per PolicyReport resource |
plugin.kyverno.blockReports.results.keepOnlyLatest | bool | false |
Keep only the latest of duplicated events |
plugin.kyverno.imagePullSecrets | list | [] |
Image pull secrets for image verification policies, this will define the --imagePullSecrets argument |
plugin.kyverno.serviceAccount.create | bool | true |
Create ServiceAccount |
plugin.kyverno.serviceAccount.automount | bool | true |
Enable ServiceAccount automaount |
plugin.kyverno.serviceAccount.annotations | object | {} |
Annotations for the ServiceAccount |
plugin.kyverno.serviceAccount.name | string | "" |
The ServiceAccount name |
plugin.kyverno.podAnnotations | object | {} |
Additional annotations to add to each pod |
plugin.kyverno.podLabels | object | {} |
Additional labels to add to each pod |
plugin.kyverno.updateStrategy | object | {} |
Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy |
plugin.kyverno.revisionHistoryLimit | int | 10 |
The number of revisions to keep |
plugin.kyverno.podSecurityContext | object | {"runAsGroup":1234,"runAsUser":1234} |
Security context for the pod |
plugin.kyverno.envVars | list | [] |
Allow additional env variables to be added |
plugin.kyverno.rbac.enabled | bool | true |
Create RBAC resources |
plugin.kyverno.securityContext.runAsUser | int | 1234 |
|
plugin.kyverno.securityContext.runAsNonRoot | bool | true |
|
plugin.kyverno.securityContext.privileged | bool | false |
|
plugin.kyverno.securityContext.allowPrivilegeEscalation | bool | false |
|
plugin.kyverno.securityContext.readOnlyRootFilesystem | bool | true |
|
plugin.kyverno.securityContext.capabilities.drop[0] | string | "ALL" |
|
plugin.kyverno.securityContext.seccompProfile.type | string | "RuntimeDefault" |
|
plugin.kyverno.service.type | string | "ClusterIP" |
Service type. |
plugin.kyverno.service.port | int | 8080 |
Service port. |
plugin.kyverno.service.annotations | object | {} |
Service annotations. |
plugin.kyverno.service.labels | object | {} |
Service labels. |
plugin.kyverno.ingress.enabled | bool | false |
Create ingress resource. |
plugin.kyverno.ingress.className | string | "" |
Ingress class name. |
plugin.kyverno.ingress.labels | object | {} |
Ingress labels. |
plugin.kyverno.ingress.annotations | object | {} |
Ingress annotations. |
plugin.kyverno.ingress.hosts | list | [] |
List of ingress host configurations. |
plugin.kyverno.ingress.tls | list | [] |
List of ingress TLS configurations. |
plugin.kyverno.networkPolicy.enabled | bool | false |
When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. |
plugin.kyverno.networkPolicy.egress | list | [{"ports":[{"port":6443,"protocol":"TCP"}]}] |
A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. Enables Kubernetes API Server by default |
plugin.kyverno.networkPolicy.ingress | list | [] |
A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |
plugin.kyverno.resources | object | {} |
Resource constraints |
plugin.kyverno.leaderElection.lockName | string | "kyverno-plugin" |
Lock Name |
plugin.kyverno.leaderElection.releaseOnCancel | bool | true |
Released lock when the run context is cancelled. |
plugin.kyverno.leaderElection.leaseDuration | int | 15 |
LeaseDuration is the duration that non-leader candidates will wait to force acquire leadership. |
plugin.kyverno.leaderElection.renewDeadline | int | 10 |
RenewDeadline is the duration that the acting master will retry refreshing leadership before giving up. |
plugin.kyverno.leaderElection.retryPeriod | int | 2 |
RetryPeriod is the duration the LeaderElector clients should wait between tries of actions. |
plugin.kyverno.podDisruptionBudget.minAvailable | int | 1 |
Configures the minimum available pods for kyvernoPlugin disruptions. Cannot be used if maxUnavailable is set. |
plugin.kyverno.podDisruptionBudget.maxUnavailable | string | nil |
Configures the maximum unavailable pods for kyvernoPlugin disruptions. Cannot be used if minAvailable is set. |
plugin.kyverno.nodeSelector | object | {} |
Node labels for pod assignment |
plugin.kyverno.tolerations | list | [] |
List of node taints to tolerate |
plugin.kyverno.affinity | object | {} |
Affinity constraints. |
plugin.trivy.enabled | bool | false |
Enable Trivy Operator Plugin |
plugin.trivy.image.registry | string | "ghcr.io" |
Image registry |
plugin.trivy.image.repository | string | "kyverno/policy-reporter/trivy-plugin" |
Image repository |
plugin.trivy.image.pullPolicy | string | "IfNotPresent" |
Image PullPolicy |
plugin.trivy.image.tag | string | "0.2.0" |
Image tag Defaults to Chart.AppVersion if omitted |
plugin.trivy.replicaCount | int | 1 |
Deployment replica count |
plugin.trivy.logging.api | bool | false |
Enables external API request logging |
plugin.trivy.logging.server | bool | false |
Enables Server access logging |
plugin.trivy.logging.encoding | string | "console" |
log encoding possible encodings are console and json |
plugin.trivy.logging.logLevel | int | 0 |
log level default info |
plugin.trivy.server.port | int | 8080 |
Application port |
plugin.trivy.policyReporter.skipTLS | bool | false |
Skip TLS Verification |
plugin.trivy.policyReporter.certificate | string | "" |
TLS Certificate |
plugin.trivy.policyReporter.secretRef | string | "" |
Secret to read the API configuration from supports host , certificate , skipTLS , username , password key |
plugin.trivy.imagePullSecrets | list | [] |
Image pull secrets for image verification policies, this will define the --imagePullSecrets argument |
plugin.trivy.serviceAccount.create | bool | true |
Create ServiceAccount |
plugin.trivy.serviceAccount.automount | bool | true |
Enable ServiceAccount automaount |
plugin.trivy.serviceAccount.annotations | object | {} |
Annotations for the ServiceAccount |
plugin.trivy.serviceAccount.name | string | "" |
The ServiceAccount name |
plugin.trivy.podAnnotations | object | {} |
Additional annotations to add to each pod |
plugin.trivy.podLabels | object | {} |
Additional labels to add to each pod |
plugin.trivy.updateStrategy | object | {} |
Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy |
plugin.trivy.revisionHistoryLimit | int | 10 |
The number of revisions to keep |
plugin.trivy.podSecurityContext | object | {"runAsGroup":1234,"runAsUser":1234} |
Security context for the pod |
plugin.trivy.envVars | list | [] |
Allow additional env variables to be added |
plugin.trivy.rbac.enabled | bool | true |
Create RBAC resources |
plugin.trivy.securityContext.runAsUser | int | 1234 |
|
plugin.trivy.securityContext.runAsNonRoot | bool | true |
|
plugin.trivy.securityContext.privileged | bool | false |
|
plugin.trivy.securityContext.allowPrivilegeEscalation | bool | false |
|
plugin.trivy.securityContext.readOnlyRootFilesystem | bool | true |
|
plugin.trivy.securityContext.capabilities.drop[0] | string | "ALL" |
|
plugin.trivy.securityContext.seccompProfile.type | string | "RuntimeDefault" |
|
plugin.trivy.service.type | string | "ClusterIP" |
Service type. |
plugin.trivy.service.port | int | 8080 |
Service port. |
plugin.trivy.service.annotations | object | {} |
Service annotations. |
plugin.trivy.service.labels | object | {} |
Service labels. |
plugin.trivy.ingress.enabled | bool | false |
Create ingress resource. |
plugin.trivy.ingress.className | string | "" |
Ingress class name. |
plugin.trivy.ingress.labels | object | {} |
Ingress labels. |
plugin.trivy.ingress.annotations | object | {} |
Ingress annotations. |
plugin.trivy.ingress.hosts | list | [] |
List of ingress host configurations. |
plugin.trivy.ingress.tls | list | [] |
List of ingress TLS configurations. |
plugin.trivy.networkPolicy.enabled | bool | false |
When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. |
plugin.trivy.networkPolicy.egress | list | [{"ports":[{"port":6443,"protocol":"TCP"}]}] |
A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. Enables Kubernetes API Server by default |
plugin.trivy.networkPolicy.ingress | list | [] |
A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |
plugin.trivy.resources | object | {} |
Resource constraints |
plugin.trivy.podDisruptionBudget.minAvailable | int | 1 |
Configures the minimum available pods for kyvernoPlugin disruptions. Cannot be used if maxUnavailable is set. |
plugin.trivy.podDisruptionBudget.maxUnavailable | string | nil |
Configures the maximum unavailable pods for kyvernoPlugin disruptions. Cannot be used if minAvailable is set. |
plugin.trivy.nodeSelector | object | {} |
Node labels for pod assignment |
plugin.trivy.tolerations | list | [] |
List of node taints to tolerate |
plugin.trivy.affinity | object | {} |
Affinity constraints. |
monitoring.enabled | bool | false |
Enables the Prometheus Operator integration |
monitoring.annotations | object | {} |
Key/value pairs that are attached to all resources. |
monitoring.serviceMonitor.honorLabels | bool | false |
HonorLabels chooses the metrics labels on collisions with target labels |
monitoring.serviceMonitor.namespace | string | nil |
Allow to override the namespace for serviceMonitor |
monitoring.serviceMonitor.labels | object | {} |
Labels to match the serviceMonitorSelector of the Prometheus Resource |
monitoring.serviceMonitor.relabelings | list | [] |
ServiceMonitor Relabelings https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig |
monitoring.serviceMonitor.metricRelabelings | list | [] |
See serviceMonitor.relabelings |
monitoring.serviceMonitor.namespaceSelector | optional | {} |
NamespaceSelector |
monitoring.serviceMonitor.scrapeTimeout | optional | nil |
ScrapeTimeout |
monitoring.serviceMonitor.interval | optional | nil |
Scrape interval |
monitoring.grafana.namespace | string | nil |
Naamespace for configMap of grafana dashboards |
monitoring.grafana.dashboards.enabled | bool | true |
Enable the deployment of grafana dashboards |
monitoring.grafana.dashboards.label | string | "grafana_dashboard" |
Label to find dashboards using the k8s sidecar |
monitoring.grafana.dashboards.value | string | "1" |
Label value to find dashboards using the k8s sidecar |
monitoring.grafana.dashboards.labelFilter | list | [] |
List of custom label filter Used to add filter for report label based metric labels defined in custom mode |
monitoring.grafana.dashboards.multicluster.enabled | bool | false |
Enable cluster filter in all dashboards |
monitoring.grafana.dashboards.multicluster.label | string | "cluster" |
Metric Label which is used to filter clusters |
monitoring.grafana.dashboards.enable.overview | bool | true |
Enable the Overview Dashboard |
monitoring.grafana.dashboards.enable.policyReportDetails | bool | true |
Enable the PolicyReport Dashboard |
monitoring.grafana.dashboards.enable.clusterPolicyReportDetails | bool | true |
Enable the ClusterPolicyReport Dashboard |
monitoring.grafana.folder.annotation | string | "grafana_folder" |
Annotation to enable folder storage using the k8s sidecar |
monitoring.grafana.folder.name | string | "Policy Reporter" |
Grafana folder in which to store the dashboards |
monitoring.grafana.datasource.label | string | "Prometheus" |
Grafana Datasource Label |
monitoring.grafana.datasource.pluginId | string | "prometheus" |
Grafana Datasource PluginId |
monitoring.grafana.datasource.pluginName | string | "Prometheus" |
Grafana Datasource PluginName |
monitoring.grafana.grafanaDashboard.enabled | bool | false |
Create GrafanaDashboard custom resource referencing to the configMap. according to https://grafana-operator.github.io/grafana-operator/docs/examples/dashboard_from_configmap/readme/ |
monitoring.grafana.grafanaDashboard.folder | string | "kyverno" |
Dashboard folder |
monitoring.grafana.grafanaDashboard.allowCrossNamespaceImport | bool | true |
Allow cross Namespace import |
monitoring.grafana.grafanaDashboard.matchLabels | object | {"dashboards":"grafana"} |
Label match selector |
monitoring.policyReportDetails.firstStatusRow.height | int | 8 |
|
monitoring.policyReportDetails.secondStatusRow.enabled | bool | true |
|
monitoring.policyReportDetails.secondStatusRow.height | int | 2 |
|
monitoring.policyReportDetails.statusTimeline.enabled | bool | true |
|
monitoring.policyReportDetails.statusTimeline.height | int | 8 |
|
monitoring.policyReportDetails.passTable.enabled | bool | true |
|
monitoring.policyReportDetails.passTable.height | int | 8 |
|
monitoring.policyReportDetails.failTable.enabled | bool | true |
|
monitoring.policyReportDetails.failTable.height | int | 8 |
|
monitoring.policyReportDetails.warningTable.enabled | bool | true |
|
monitoring.policyReportDetails.warningTable.height | int | 4 |
|
monitoring.policyReportDetails.errorTable.enabled | bool | true |
|
monitoring.policyReportDetails.errorTable.height | int | 4 |
|
monitoring.clusterPolicyReportDetails.statusRow.height | int | 6 |
|
monitoring.clusterPolicyReportDetails.statusTimeline.enabled | bool | true |
|
monitoring.clusterPolicyReportDetails.statusTimeline.height | int | 8 |
|
monitoring.clusterPolicyReportDetails.passTable.enabled | bool | true |
|
monitoring.clusterPolicyReportDetails.passTable.height | int | 8 |
|
monitoring.clusterPolicyReportDetails.failTable.enabled | bool | true |
|
monitoring.clusterPolicyReportDetails.failTable.height | int | 8 |
|
monitoring.clusterPolicyReportDetails.warningTable.enabled | bool | true |
|
monitoring.clusterPolicyReportDetails.warningTable.height | int | 4 |
|
monitoring.clusterPolicyReportDetails.errorTable.enabled | bool | true |
|
monitoring.clusterPolicyReportDetails.errorTable.height | int | 4 |
|
monitoring.policyReportOverview.failingSummaryRow.height | int | 8 |
|
monitoring.policyReportOverview.failingTimeline.height | int | 10 |
|
monitoring.policyReportOverview.failingPolicyRuleTable.height | int | 10 |
|
monitoring.policyReportOverview.failingClusterPolicyRuleTable.height | int | 10 |
Source Code
Maintainers
Name | Url | |
---|---|---|
Frank Jogeleit |
Autogenerated from chart metadata using helm-docs v1.11.0