forked from kubewarden/helm-charts
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathvalues.yaml
187 lines (187 loc) · 5.36 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
# This file was autogenerated.
# Common settings across multiple charts. These settings will be used
# by more than one chart and they ideally need to match during the
# installation of the charts consuming this values.
global:
cattle:
systemDefaultRegistry: ghcr.io
skipNamespaces:
- calico-apiserver
- calico-system
- cattle-alerting
- cattle-csp-adapter-system
- cattle-elemental-system
- cattle-epinio-system
- cattle-externalip-system
- cattle-fleet-local-system
- cattle-fleet-system
- cattle-gatekeeper-system
- cattle-global-data
- cattle-global-nt
- cattle-impersonation-system
- cattle-istio
- cattle-istio-system
- cattle-logging
- cattle-logging-system
- cattle-monitoring-system
- cattle-neuvector-system
- cattle-prometheus
- cattle-provisioning-capi-system
- cattle-resources-system
- cattle-sriov-system
- cattle-system
- cattle-ui-plugin-system
- cattle-windows-gmsa-system
- cert-manager
- cis-operator-system
- fleet-default
- ingress-nginx
- istio-system
- kube-node-lease
- kube-public
- kube-system
- longhorn-system
- rancher-alerting-drivers
- security-scan
- tigera-operator
policyServer:
default:
name: default
enabled: true
# -- Additional labels to add to all resources
additionalLabels: {}
# app: kubewarden-defaults
# -- Additional annotations to add to all resources
additionalAnnotations: {}
# owner: IT-group1
# Policy Server settings
policyServer:
replicaCount: 1
minAvailable: ""
maxUnavailable: ""
image:
# The registry is defined in the global.cattle.systemDefaultRegistry value
repository: "kubewarden/policy-server"
tag: v1.12.0-rc2
serviceAccountName: policy-server
# verificationConfig: your_configmap
# Configmap containing a Sigstore verification configuration under a key
# named `verification-config`. Must be on the same ns as the PolicyServer.
permissions:
# All permissions are cluster-wide. Even namespaced resources are
# granted access in all namespaces at this time.
- apiGroup: ""
resources:
- namespaces
- pods
- services
- apiGroup: "networking.k8s.io"
resources:
- ingresses
env:
- name: KUBEWARDEN_LOG_LEVEL
value: info
annotations: {}
# follows the format of https://docs.kubewarden.io/operator-manual/CRDs#policyserversecurity
securityContexts: {}
# imagePullSecret stores the secret name used to pull images from repositories.
# The secret should be in the same namespace of the Policy Server
#
# Example of usage:
# imagePullSecret: "mysecret"
imagePullSecret: null
# insecureSources stores a list of allowed insecure registries.
#
# Example of usage:
#insecureSources:
# - "source1"
# - "source2"
insecureSources: null
# sourceAuthorities is a list of the URIs and their PEM encoded certificates
# used to authenticate them
#
# Example of usage:
# sourceAuthorities:
# - uri: "uri1"
# certs:
# - "cert1"
# - "cert2"
# - uri: "uri2"
# certs:
# - "cert3"
# - uri: "uri3"
# certs:
# - "cert4"
sourceAuthorities: {}
# affinity for pods of the default PolicyServer
affinity: {}
# limits and requests, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
limits: {}
requests: {}
crdVersion: "policies.kubewarden.io/v1"
recommendedPolicies:
enabled: False
# Used to define the registry where the Kubewarden policies are mirrored.
# This can be useful if the registry used to mirror container images does
# not support OCI artifacts.
# If this field is not defined, the systemDefaultRegistry is used by default.
defaultPoliciesRegistry: ""
# Additional namespaces that recommended policies will not apply to:
skipAdditionalNamespaces: []
defaultPolicyMode: "monitor"
allowPrivilegeEscalationPolicy:
module:
repository: "kubewarden/policies/allow-privilege-escalation-psp"
tag: v0.2.6
name: "no-privilege-escalation"
settings:
allowPrivilegeEscalation: false
hostNamespacePolicy:
module:
repository: "kubewarden/policies/host-namespaces-psp"
tag: v0.1.6
name: "no-host-namespace-sharing"
settings:
allow_host_ipc: false
allow_host_network: false
allow_host_pid: false
allow_host_ports: []
podPrivilegedPolicy:
module:
repository: "kubewarden/policies/pod-privileged"
tag: v0.3.2
name: "no-privileged-pod"
settings:
skip_init_containers: false
skip_ephemeral_containers: false
userGroupPolicy:
module:
repository: "kubewarden/policies/user-group-psp"
tag: v0.5.0
name: "do-not-run-as-root"
settings:
run_as_user:
rule: "MustRunAsNonRoot"
run_as_group:
rule: "RunAsAny"
supplemental_groups:
rule: "RunAsAny"
hostPathsPolicy:
module:
repository: "kubewarden/policies/hostpaths-psp"
tag: v0.1.10
name: "do-not-share-host-paths"
settings:
allowedHostPaths:
- pathPrefix: "/tmp"
readOnly: true
capabilitiesPolicy:
module:
repository: "kubewarden/policies/capabilities-psp"
tag: v0.1.15
name: "drop-capabilities"
settings:
allowed_capabilities: []
required_drop_capabilities:
- ALL
default_add_capabilities: []