values.yaml

# This file was autogenerated.
# Common settings across multiple charts. These settings will be used
# by more than one chart and they ideally need to match during the
# installation of the charts consuming this values.
global:
  cattle:
    systemDefaultRegistry: ghcr.io
  skipNamespaces:
    - calico-apiserver
    - calico-system
    - cattle-alerting
    - cattle-csp-adapter-system
    - cattle-elemental-system
    - cattle-epinio-system
    - cattle-externalip-system
    - cattle-fleet-local-system
    - cattle-fleet-system
    - cattle-gatekeeper-system
    - cattle-global-data
    - cattle-global-nt
    - cattle-impersonation-system
    - cattle-istio
    - cattle-istio-system
    - cattle-logging
    - cattle-logging-system
    - cattle-monitoring-system
    - cattle-neuvector-system
    - cattle-prometheus
    - cattle-provisioning-capi-system
    - cattle-resources-system
    - cattle-sriov-system
    - cattle-system
    - cattle-ui-plugin-system
    - cattle-windows-gmsa-system
    - cert-manager
    - cis-operator-system
    - fleet-default
    - ingress-nginx
    - istio-system
    - kube-node-lease
    - kube-public
    - kube-system
    - longhorn-system
    - rancher-alerting-drivers
    - security-scan
    - tigera-operator
  policyServer:
    default:
      name: default
      enabled: true
# Settings for kubewarden-controller.
# nameOverride Replaces the release name of the chart in Chart.yaml file when
# this is used to construct Kubernetes object names
nameOverride: ""
# fullnameOverride completely replaces the generated release name
fullnameOverride: ""
# Secrets to pull container images from private registries
imagePullSecrets: []
# -- Additional labels to add to all resources
additionalLabels: {}
#   app: kubewarden-controller
# -- Additional annotations to add to all resources
additionalAnnotations: {}
#   owner: IT-group1
# SecurityContext to be used in the controller and audit-scanner containers. The
# content of the containerSecurityContext will be set directly as the
# securityContext of the container
containerSecurityContext:
  allowPrivilegeEscalation: false
# SecurityContext to be used in the controller and audit-scanner pods. The
# content of the podSecurityContext will be set directly as the securityContext
# of the pod
podSecurityContext:
  runAsNonRoot: true
# SecurityContext to be used in the pre-delete-hook job container and pod.
# The content of the next fields will be set directly as the securityContext
# of the container and pod used in the pre-delete-hook job.
preDeleteHook:
  containerSecurityContext:
    allowPrivilegeEscalation: false
  podSecurityContext:
    runAsNonRoot: true
# open-telemetry options
telemetry:
  metrics:
    enabled: false
    # port of the prometheus exporter and PolicyServer metric service
    port: 8080
  tracing:
    enabled: false
    jaeger: {}
    # OTLP/Jaeger endpoint to send traces to
    # endpoint: "all-in-one-collector.jaeger.svc.cluster.local:4317"
    # tls:
    #  insecure: true
image:
  # The registry is defined in the global.cattle.systemDefaultRegistry value
  # controller image to be used
  repository: "kubewarden/kubewarden-controller"
  # image tag
  tag: v1.10.1
  pullPolicy: IfNotPresent
preDeleteJob:
  image:
    # The registry is defined in the global.cattle.systemDefaultRegistry value
    # kubectl image to be used in the pre-delete helm hook
    repository: "kubewarden/kubectl"
    tag: "v1.27.9"
# kubewarden-controller deployment settings:
podAnnotations: {}
nodeSelector: {}
tolerations: []
affinity: {}
tls:
  # source options:
  # - "cert-manager-self-signed": Scaffold cert-manager integration, and create
  #   a self-signed certificate with a cert-manager self-signed Issuer. Depends
  #   on cert-manager. (default)
  # - "cert-manager": Scafffold cert-manager integration. User configures their
  #   own Issuer. Depends on cert-manager. Set tls.certManagerIssuerName to the
  #   desired Issuer.
  source: cert-manager-self-signed
  # "cert-manager"-only options:
  certManagerIssuerName: ""
# Resource limits & requests
# Ref: https://kubernetes.io/docs/user-guide/compute-resources/
resources:
  controller:
    limits:
      cpu: 500m
      memory: 200Mi
    requests:
      cpu: 250m
      memory: 70Mi
  auditScanner:
    limits:
      cpu: 500m
      memory: 300Mi
    requests:
      cpu: 250m
      memory: 1Gi
# Controller replicas
replicas: 1
auditScanner:
  enable: true
  policyReporter: false
  # The default audit-scanner ServiceAccount is bound to the ClusterRoles:
  # - view: Allows read-only access to most objects in a namespace.
  #   Does not allow viewing secrets, roles or role bindings.
  # - audit-scanner-cluster-role: Allows read-write to Kubewarden resources
  #   and PolicyReports
  serviceAccountName: audit-scanner
  image:
    # The registry is defined in the common.cattle.systemDefaultRegistry value
    # kubectl image to be used in the pre-delete helm hook
    repository: "kubewarden/audit-scanner"
    tag: v1.11.0-rc1
    pullPolicy: IfNotPresent
  cronJob:
    schedule: "*/60 * * * *" # every 60 minutes
    failedJobsHistoryLimit: 5
    successfulJobsHistoryLimit: 3
  containerRestartPolicy: Never
  # Additional namespaces that the audit scanner will not scan:
  skipAdditionalNamespaces: []
  # level of logs. One of trace, debug, info, warn, error, fatal
  logLevel: info
  # Output result of scan to stdout in JSON upon completion
  outputScan: false
  # Configures whether a (Cluster)PolicyReport is stored in Kubernetes/etcd or not
  disableStore: false
# Values to configure the policy reporter subchart enabled by the
# auditScanner.policyReporter flag
policy-reporter:
  image:
    registry: ghcr.io
    repository: kyverno/policy-reporter
    tag: 2.17.5
  ui:
    enabled: true
    image:
      registry: ghcr.io
      repository: kyverno/policy-reporter-ui
      tag: 1.9.2
    views:
      logs: false