From a83f52291a1038ed7850e66c2b6b4d1da089dbca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Thu, 24 Oct 2024 23:18:14 +0200 Subject: [PATCH] feat: add helm chart MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Charles-Edouard Brétéché --- .gitignore | 2 +- charts/kyverno-envoy-plugin/.helmignore | 3 + charts/kyverno-envoy-plugin/Chart.yaml | 22 ++ .../kyverno-envoy-plugin/templates/NOTES.txt | 1 + .../templates/_helpers/_chart.tpl | 9 + .../templates/_helpers/_labels.tpl | 43 +++ .../templates/_helpers/_names.tpl | 22 ++ .../templates/sidecar-injector/_helpers.tpl | 39 ++ .../cluster-role-binding.yaml | 18 + .../sidecar-injector/cluster-role.yaml | 18 + .../mutating-webhook-configuration.yaml | 35 ++ .../templates/sidecar-injector/secret.yaml | 32 ++ .../sidecar-injector/service-account.yaml | 11 + .../templates/sidecar-injector/service.yaml | 18 + charts/kyverno-envoy-plugin/values.yaml | 343 ++++++++++++++++++ 15 files changed, 615 insertions(+), 1 deletion(-) create mode 100644 charts/kyverno-envoy-plugin/.helmignore create mode 100644 charts/kyverno-envoy-plugin/Chart.yaml create mode 100644 charts/kyverno-envoy-plugin/templates/NOTES.txt create mode 100644 charts/kyverno-envoy-plugin/templates/_helpers/_chart.tpl create mode 100644 charts/kyverno-envoy-plugin/templates/_helpers/_labels.tpl create mode 100644 charts/kyverno-envoy-plugin/templates/_helpers/_names.tpl create mode 100644 charts/kyverno-envoy-plugin/templates/sidecar-injector/_helpers.tpl create mode 100644 charts/kyverno-envoy-plugin/templates/sidecar-injector/cluster-role-binding.yaml create mode 100644 charts/kyverno-envoy-plugin/templates/sidecar-injector/cluster-role.yaml create mode 100644 charts/kyverno-envoy-plugin/templates/sidecar-injector/mutating-webhook-configuration.yaml create mode 100644 charts/kyverno-envoy-plugin/templates/sidecar-injector/secret.yaml create mode 100644 charts/kyverno-envoy-plugin/templates/sidecar-injector/service-account.yaml create mode 100644 charts/kyverno-envoy-plugin/templates/sidecar-injector/service.yaml create mode 100644 charts/kyverno-envoy-plugin/values.yaml diff --git a/.gitignore b/.gitignore index 02f8b179..02883efb 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ .tools/ website/site/ -kyverno-envoy-plugin +/kyverno-envoy-plugin diff --git a/charts/kyverno-envoy-plugin/.helmignore b/charts/kyverno-envoy-plugin/.helmignore new file mode 100644 index 00000000..85df807a --- /dev/null +++ b/charts/kyverno-envoy-plugin/.helmignore @@ -0,0 +1,3 @@ +.helmignore +ci/ +README.md.gotmpl diff --git a/charts/kyverno-envoy-plugin/Chart.yaml b/charts/kyverno-envoy-plugin/Chart.yaml new file mode 100644 index 00000000..ccd0dd1c --- /dev/null +++ b/charts/kyverno-envoy-plugin/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +type: application +name: kyverno-envoy-plugin +version: v0.0.0 +appVersion: latest +icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png +description: Kyverno policies based authorization plugin for Envoy ❤️ +keywords: + - kubernetes + - kyverno + - authz + - policy + - envoy + - istio + - security +home: https://kyverno.github.io/kyverno-envoy-plugin +sources: + - https://github.com/kyverno/kyverno-envoy-plugin +maintainers: + - name: Kyverno + url: https://kyverno.io/ +kubeVersion: ">=1.25.0-0" diff --git a/charts/kyverno-envoy-plugin/templates/NOTES.txt b/charts/kyverno-envoy-plugin/templates/NOTES.txt new file mode 100644 index 00000000..1818ad1d --- /dev/null +++ b/charts/kyverno-envoy-plugin/templates/NOTES.txt @@ -0,0 +1 @@ +Chart version: {{ .Chart.Version }} diff --git a/charts/kyverno-envoy-plugin/templates/_helpers/_chart.tpl b/charts/kyverno-envoy-plugin/templates/_helpers/_chart.tpl new file mode 100644 index 00000000..840aa7eb --- /dev/null +++ b/charts/kyverno-envoy-plugin/templates/_helpers/_chart.tpl @@ -0,0 +1,9 @@ +{{/* vim: set filetype=mustache: */}} + +{{- define "kyverno.chart.name" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "kyverno.chart.version" -}} + {{- .Chart.Version | replace "+" "_" -}} +{{- end -}} diff --git a/charts/kyverno-envoy-plugin/templates/_helpers/_labels.tpl b/charts/kyverno-envoy-plugin/templates/_helpers/_labels.tpl new file mode 100644 index 00000000..97c0ccba --- /dev/null +++ b/charts/kyverno-envoy-plugin/templates/_helpers/_labels.tpl @@ -0,0 +1,43 @@ +{{/* vim: set filetype=mustache: */}} + +{{- define "kyverno.labels.merge" -}} +{{- $labels := dict -}} +{{- range . -}} + {{- $labels = merge $labels (fromYaml .) -}} +{{- end -}} +{{- with $labels -}} + {{- toYaml $labels -}} +{{- end -}} +{{- end -}} + +{{- define "kyverno.labels.helm" -}} +{{- if not .Values.templating.enabled -}} +helm.sh/chart: {{ template "kyverno.chart.name" . }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} +{{- end -}} + +{{- define "kyverno.labels.version" -}} +app.kubernetes.io/version: {{ template "kyverno.chart.version" . }} +{{- end -}} + +{{- define "kyverno.labels.common" -}} +{{- template "kyverno.labels.merge" (list + (include "kyverno.labels.helm" .) + (include "kyverno.labels.version" .) + (toYaml .Values.customLabels) +) -}} +{{- end -}} + +{{- define "kyverno.labels.component" -}} +app.kubernetes.io/component: {{ . }} +{{- end -}} + +{{- define "kyverno.labels.name" -}} +app.kubernetes.io/name: {{ . }} +{{- end -}} + +{{- define "kyverno.labels.match.common" -}} +app.kubernetes.io/part-of: {{ template "kyverno.names.fullname" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} diff --git a/charts/kyverno-envoy-plugin/templates/_helpers/_names.tpl b/charts/kyverno-envoy-plugin/templates/_helpers/_names.tpl new file mode 100644 index 00000000..327826f7 --- /dev/null +++ b/charts/kyverno-envoy-plugin/templates/_helpers/_names.tpl @@ -0,0 +1,22 @@ +{{/* vim: set filetype=mustache: */}} + +{{- define "kyverno.names.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "kyverno.names.fullname" -}} +{{- if .Values.fullnameOverride -}} + {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} + {{- $name := default .Chart.Name .Values.nameOverride -}} + {{- if contains $name .Release.Name -}} + {{- .Release.Name | trunc 63 | trimSuffix "-" -}} + {{- else -}} + {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} + {{- end -}} +{{- end -}} +{{- end -}} + +{{- define "kyverno.namespace" -}} +{{ default .Release.Namespace .Values.namespaceOverride }} +{{- end -}} diff --git a/charts/kyverno-envoy-plugin/templates/sidecar-injector/_helpers.tpl b/charts/kyverno-envoy-plugin/templates/sidecar-injector/_helpers.tpl new file mode 100644 index 00000000..f2b861e6 --- /dev/null +++ b/charts/kyverno-envoy-plugin/templates/sidecar-injector/_helpers.tpl @@ -0,0 +1,39 @@ +{{/* vim: set filetype=mustache: */}} + +{{- define "kyverno.sidecar-injector.name" -}} +{{ template "kyverno.names.name" . }}-sidecar-injector +{{- end -}} + +{{- define "kyverno.sidecar-injector.labels" -}} +{{- template "kyverno.labels.merge" (list + (include "kyverno.labels.common" .) + (include "kyverno.sidecar-injector.labels.match" .) +) -}} +{{- end -}} + +{{- define "kyverno.sidecar-injector.labels.match" -}} +{{- template "kyverno.labels.merge" (list + (include "kyverno.labels.match.common" .) + (include "kyverno.labels.component" "sidecar-injector") +) -}} +{{- end -}} + +{{- define "kyverno.sidecar-injector.role.name" -}} +{{ include "kyverno.names.fullname" . }}:sidecar-injector +{{- end -}} + +{{- define "kyverno.sidecar-injector.service-account.name" -}} +{{- if .Values.sidecarInjector.rbac.create -}} + {{ default (include "kyverno.sidecar-injector.name" .) .Values.sidecarInjector.rbac.serviceAccount.name }} +{{- else -}} + {{ required "A service account name is required when `rbac.create` is set to `false`" .Values.sidecarInjector.rbac.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{- define "kyverno.sidecar-injector.serviceName" -}} +{{- printf "%s-svc" (include "kyverno.names.fullname" .) | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "kyverno.sidecar-injector.caCertificatesConfigMapName" -}} +{{ printf "%s-ca-certificates" (include "kyverno.sidecar-injector.name" .) }} +{{- end -}} diff --git a/charts/kyverno-envoy-plugin/templates/sidecar-injector/cluster-role-binding.yaml b/charts/kyverno-envoy-plugin/templates/sidecar-injector/cluster-role-binding.yaml new file mode 100644 index 00000000..49addd30 --- /dev/null +++ b/charts/kyverno-envoy-plugin/templates/sidecar-injector/cluster-role-binding.yaml @@ -0,0 +1,18 @@ +{{- if .Values.sidecarInjector.enabled -}} +{{- if .Values.sidecarInjector.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "kyverno.sidecar-injector.role.name" . }} + labels: + {{- include "kyverno.sidecar-injector.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "kyverno.sidecar-injector.role.name" . }} +subjects: + - kind: ServiceAccount + name: {{ template "kyverno.sidecar-injector.service-account.name" . }} + namespace: {{ template "kyverno.namespace" . }} +{{- end -}} +{{- end -}} diff --git a/charts/kyverno-envoy-plugin/templates/sidecar-injector/cluster-role.yaml b/charts/kyverno-envoy-plugin/templates/sidecar-injector/cluster-role.yaml new file mode 100644 index 00000000..4f3fb513 --- /dev/null +++ b/charts/kyverno-envoy-plugin/templates/sidecar-injector/cluster-role.yaml @@ -0,0 +1,18 @@ +{{- if .Values.sidecarInjector.enabled -}} +{{- if .Values.sidecarInjector.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "kyverno.sidecar-injector.role.name" . }} + labels: + {{- include "kyverno.sidecar-injector.labels" . | nindent 4 }} +rules: + - apiGroups: + - '' + resources: + - configmaps + verbs: + - get + - list +{{- end -}} +{{- end -}} diff --git a/charts/kyverno-envoy-plugin/templates/sidecar-injector/mutating-webhook-configuration.yaml b/charts/kyverno-envoy-plugin/templates/sidecar-injector/mutating-webhook-configuration.yaml new file mode 100644 index 00000000..61687e4e --- /dev/null +++ b/charts/kyverno-envoy-plugin/templates/sidecar-injector/mutating-webhook-configuration.yaml @@ -0,0 +1,35 @@ +{{- if .Values.sidecarInjector.enabled -}} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: {{ template "kyverno.sidecar-injector.name" . }} + labels: + {{- include "kyverno.sidecar-injector.labels" . | nindent 4 }} +webhooks: + - name: kyverno-envoy-sidecar.kyverno-envoy-sidecar-injector.svc + clientConfig: + service: + name: {{ template "kyverno.sidecar-injector.name" . }} + namespace: {{ template "kyverno.namespace" . }} + path: "/mutate" + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - v1 + rules: + - apiGroups: + - '' + apiVersions: + - v1 + resources: + - pods + operations: + - CREATE + scope: '*' + objectSelector: + matchExpressions: + - key: kyverno-envoy-sidecar/injection + operator: In + values: + - enabled +{{- end -}} diff --git a/charts/kyverno-envoy-plugin/templates/sidecar-injector/secret.yaml b/charts/kyverno-envoy-plugin/templates/sidecar-injector/secret.yaml new file mode 100644 index 00000000..c5ffb0f8 --- /dev/null +++ b/charts/kyverno-envoy-plugin/templates/sidecar-injector/secret.yaml @@ -0,0 +1,32 @@ +{{- if .Values.sidecarInjector.enabled -}} +{{- if .Values.sidecarInjector.createSelfSignedCert -}} +{{- $ca := genCA (printf "*.%s.svc" (include "kyverno.namespace" .)) 1024 -}} +{{- $svcName := (printf "%s.%s.svc" (include "kyverno.sidecar-injector.name" .) (include "kyverno.namespace" .)) -}} +{{- $cert := genSignedCert $svcName nil (list $svcName) 1024 $ca -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "kyverno.sidecar-injector.name" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.sidecar-injector.labels" . | nindent 4 }} +type: kubernetes.io/tls +data: + tls.key: {{ $ca.Key | b64enc }} + tls.crt: {{ $ca.Cert | b64enc }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "kyverno.sidecar-injector.name" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.sidecar-injector.labels" . | nindent 4 }} + annotations: + self-signed-cert: "true" +type: kubernetes.io/tls +data: + tls.key: {{ $cert.Key | b64enc }} + tls.crt: {{ $cert.Cert | b64enc }} +{{- end -}} +{{- end -}} diff --git a/charts/kyverno-envoy-plugin/templates/sidecar-injector/service-account.yaml b/charts/kyverno-envoy-plugin/templates/sidecar-injector/service-account.yaml new file mode 100644 index 00000000..a7c0a667 --- /dev/null +++ b/charts/kyverno-envoy-plugin/templates/sidecar-injector/service-account.yaml @@ -0,0 +1,11 @@ +{{- if .Values.sidecarInjector.enabled -}} +{{- if .Values.sidecarInjector.rbac.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "kyverno.sidecar-injector.service-account.name" . }} + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.sidecar-injector.labels" . | nindent 4 }} +{{- end -}} +{{- end -}} diff --git a/charts/kyverno-envoy-plugin/templates/sidecar-injector/service.yaml b/charts/kyverno-envoy-plugin/templates/sidecar-injector/service.yaml new file mode 100644 index 00000000..fa745d98 --- /dev/null +++ b/charts/kyverno-envoy-plugin/templates/sidecar-injector/service.yaml @@ -0,0 +1,18 @@ +{{- if .Values.sidecarInjector.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "kyverno.sidecar-injector.service-account.name" . }} + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.sidecar-injector.labels" . | nindent 4 }} +spec: + type: ClusterIP + ports: + - name: https + protocol: TCP + port: 443 + targetPort: 8443 + selector: + {{- include "kyverno.sidecar-injector.labels" . | nindent 4 }} +{{- end -}} diff --git a/charts/kyverno-envoy-plugin/values.yaml b/charts/kyverno-envoy-plugin/values.yaml new file mode 100644 index 00000000..22935542 --- /dev/null +++ b/charts/kyverno-envoy-plugin/values.yaml @@ -0,0 +1,343 @@ +# -- Internal settings used with `helm template` to generate install manifest +# @ignored +templating: + enabled: false + debug: false + version: ~ + +# -- (string) Override the name of the chart +nameOverride: ~ + +# -- (string) Override the expanded name of the chart +fullnameOverride: ~ + +# -- (string) Override the namespace the chart deploys to +namespaceOverride: ~ + +# Sidecar injector configuration +sidecarInjector: + + # -- Enable sidecar injector + enabled: true + + rbac: + # -- Create RBAC resources + create: true + + serviceAccount: + # -- The ServiceAccount name + name: + + # -- Annotations for the ServiceAccount + annotations: {} + # example.com/annotation: value + + # -- Create self-signed certificates at deployment time. + # The certificates won't be automatically renewed if this is set to `true`. + createSelfSignedCert: true + + # -- (int) Desired number of pods + replicas: ~ + + # -- The number of revisions to keep + revisionHistoryLimit: 10 + + # -- Resync period for informers + resyncPeriod: 15m + + # -- Additional labels to add to each pod + podLabels: {} + # example.com/label: foo + + # -- Additional annotations to add to each pod + podAnnotations: {} + # example.com/annotation: foo + + # -- Deployment annotations. + annotations: {} + + # -- Deployment update strategy. + # Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + # @default -- See [values.yaml](values.yaml) + updateStrategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 40% + type: RollingUpdate + + # -- Optional priority class + priorityClassName: '' + + # -- Change `apiPriorityAndFairness` to `true` if you want to insulate the API calls made by Kyverno admission controller activities. + # This will help ensure Kyverno stability in busy clusters. + # Ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/ + apiPriorityAndFairness: false + + # -- Priority level configuration. + # The block is directly forwarded into the priorityLevelConfiguration, so you can use whatever specification you want. + # ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/#prioritylevelconfiguration + # @default -- See [values.yaml](values.yaml) + priorityLevelConfigurationSpec: + type: Limited + limited: + nominalConcurrencyShares: 10 + limitResponse: + queuing: + queueLengthLimit: 50 + type: Queue + + # -- Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. + # Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. + # Update the `dnsPolicy` accordingly as well to suit the host network mode. + hostNetwork: false + + # -- admissionController webhook server port + # in case you are using hostNetwork: true, you might want to change the port the webhookServer is listening to + webhookServer: + port: 9443 + + # -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. + # In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. + # For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. + dnsPolicy: ClusterFirst + + # -- Startup probe. + # The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ + # @default -- See [values.yaml](values.yaml) + startupProbe: + httpGet: + path: /health/liveness + port: 9443 + scheme: HTTPS + failureThreshold: 20 + initialDelaySeconds: 2 + periodSeconds: 6 + + # -- Liveness probe. + # The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ + # @default -- See [values.yaml](values.yaml) + livenessProbe: + httpGet: + path: /health/liveness + port: 9443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 2 + successThreshold: 1 + + # -- Readiness Probe. + # The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ + # @default -- See [values.yaml](values.yaml) + readinessProbe: + httpGet: + path: /health/readiness + port: 9443 + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + + # -- Node labels for pod assignment + nodeSelector: {} + + # -- List of node taints to tolerate + tolerations: [] + + antiAffinity: + # -- Pod antiAffinities toggle. + # Enabled by default but can be disabled if you want to schedule pods to the same node. + enabled: true + + # -- Pod anti affinity constraints. + # @default -- See [values.yaml](values.yaml) + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app.kubernetes.io/component + operator: In + values: + - admission-controller + topologyKey: kubernetes.io/hostname + + # -- Pod affinity constraints. + podAffinity: {} + + # -- Node affinity constraints. + nodeAffinity: {} + + # -- Topology spread constraints. + topologySpreadConstraints: [] + + # -- Security context for the pod + podSecurityContext: {} + + podDisruptionBudget: + # -- Enable PodDisruptionBudget. + # Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking. + enabled: false + # -- Configures the minimum available pods for disruptions. + # Cannot be used if `maxUnavailable` is set. + minAvailable: 1 + # -- Configures the maximum unavailable pods for disruptions. + # Cannot be used if `minAvailable` is set. + maxUnavailable: + + # -- A writable volume to use for the TUF root initialization. + tufRootMountPath: /.sigstore + + # -- Volume to be mounted in pods for TUF/cosign work. + sigstoreVolume: + emptyDir: {} + + caCertificates: + # -- CA certificates to use with Kyverno deployments + # This value is expected to be one large string of CA certificates + data: ~ + # -- Volume to be mounted for CA certificates + # Not used when `.Values.admissionController.caCertificates.data` is defined + volume: {} + # Example to use hostPath: + # hostPath: + # path: /etc/pki/tls/ca-certificates.crt + # type: File + + # -- Image pull secrets + imagePullSecrets: [] + # - secretName + + initContainer: + + image: + # -- Image registry + registry: ghcr.io + # -- Image repository + repository: kyverno/kyvernopre + # -- (string) Image tag + # If missing, defaults to image.tag + tag: ~ + # -- (string) Image pull policy + # If missing, defaults to image.pullPolicy + pullPolicy: ~ + + resources: + # -- Pod resource limits + limits: + cpu: 100m + memory: 256Mi + # -- Pod resource requests + requests: + cpu: 10m + memory: 64Mi + + # -- Container security context + securityContext: + runAsNonRoot: true + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + + # -- Additional container args. + extraArgs: {} + + # -- Additional container environment variables. + extraEnvVars: [] + # Example setting proxy + # extraEnvVars: + # - name: HTTPS_PROXY + # value: 'https://proxy.example.com:3128' + + container: + + image: + # -- Image registry + registry: ghcr.io + # -- Image repository + repository: kyverno/kyverno + # -- (string) Image tag + # Defaults to appVersion in Chart.yaml if omitted + tag: ~ + # -- Image pull policy + pullPolicy: IfNotPresent + + resources: + # -- Pod resource limits + limits: + memory: 384Mi + # -- Pod resource requests + requests: + cpu: 100m + memory: 128Mi + + # -- Container security context + securityContext: + runAsNonRoot: true + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + + # -- Additional container args. + extraArgs: {} + + # -- Additional container environment variables. + extraEnvVars: [] + # Example setting proxy + # extraEnvVars: + # - name: HTTPS_PROXY + # value: 'https://proxy.example.com:3128' + + # -- Array of extra init containers + extraInitContainers: [] + # - name: init-container + # image: busybox + # command: ['sh', '-c', 'echo Hello'] + + # -- Array of extra containers to run alongside kyverno + extraContainers: [] + # - name: myapp-container + # image: busybox + # command: ['sh', '-c', 'echo Hello && sleep 3600'] + + service: + # -- Service port. + port: 443 + # -- Service type. + type: ClusterIP + # -- Service node port. + # Only used if `type` is `NodePort`. + nodePort: + # -- Service annotations. + annotations: {} + + metricsService: + # -- Create service. + create: true + # -- Service port. + # Kyverno's metrics server will be exposed at this port. + port: 8000 + # -- Service type. + type: ClusterIP + # -- Service node port. + # Only used if `type` is `NodePort`. + nodePort: + # -- Service annotations. + annotations: {}