forked from kyverno/kyverno
-
Notifications
You must be signed in to change notification settings - Fork 0
/
values.yaml
109 lines (93 loc) · 3.62 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
# -- Policy kind (`ClusterPolicy`, `Policy`)
# Set to `Policy` if you need namespaced policies and not cluster policies
policyKind: ClusterPolicy
# -- Pod Security Standard profile (`baseline`, `restricted`, `privileged`, `custom`).
# For more info https://kyverno.io/policies/pod-security.
podSecurityStandard: baseline
# -- Pod Security Standard (`low`, `medium`, `high`).
podSecuritySeverity: medium
# -- Policies to include when `podSecurityStandard` is `custom`.
podSecurityPolicies: []
# -- Additional policies to include from `other`.
includeOtherPolicies: []
# - require-non-root-groups
# -- Additional policies to include from `restricted`.
includeRestrictedPolicies: []
# - require-run-as-non-root-user
# -- API server behavior if the webhook fails to respond ('Ignore', 'Fail')
# For more info: https://kyverno.io/docs/writing-policies/policy-settings/
failurePolicy: Fail
# -- Validation failure action (`Audit`, `Enforce`).
# For more info https://kyverno.io/docs/writing-policies/validate.
validationFailureAction: Audit
# -- Define validationFailureActionByPolicy for specific policies.
# Override the defined `validationFailureAction` with a individual validationFailureAction for individual Policies.
validationFailureActionByPolicy: {}
# disallow-capabilities-strict: enforce
# disallow-host-path: enforce
# disallow-host-ports: enforce
# -- Define validationFailureActionOverrides for specific policies.
# The overrides for `all` will apply to all policies.
validationFailureActionOverrides:
all: []
# all:
# - action: audit
# namespaces:
# - ingress-nginx
# disallow-host-path:
# - action: audit
# namespaces:
# - fluent
# -- Exclude resources from individual policies.
# Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyExclude` map.
policyExclude: {}
# # Exclude resources from individual policies
# disallow-host-path:
# any:
# - resources:
# kinds:
# - Pod
# namespaces:
# - fluent
# # Policies with multiple rules can have individual rules excluded
# adding-capabilities-strict:
# any:
# - resources:
# kinds:
# - Pod
# namespaces:
# - kube-system
# -- Add preconditions to individual policies.
# Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyPreconditions` map.
policyPreconditions: {}
# # Exclude resources from individual policies
# require-run-as-non-root-user:
# all:
# - key: "{{ request.object.metadata.name }}"
# operator: NotEquals
# value: "dcgm-exporter*"
# # Policies with multiple rules can have individual rules excluded
# require-drop-all:
# any:
# - key: "{{ request.object.metadata.name }}"
# operator: NotEquals
# value: "dcgm-exporter*"
# adding-capabilities-strict:
# all:
# - key: "{{ request.object.metadata.name }}"
# operator: NotEquals
# value: "dcgm-exporter*"
# -- Customize the target Pod controllers for the auto-generated rules. (Eg. `none`, `Deployment`, `DaemonSet,Deployment,StatefulSet`)
# For more info https://kyverno.io/docs/writing-policies/autogen/.
autogenControllers: ""
# -- Name override.
nameOverride:
# -- Additional labels.
customLabels: {}
# -- Policies background mode
background: true
# -- (bool) SkipBackgroundRequests bypasses admission requests that are sent by the background controller
skipBackgroundRequests: ~
# -- Kyverno version
# The default of "autodetect" will try to determine the currently installed version from the deployment
kyvernoVersion: autodetect