adm-controller/charts/kubewarden-controller/values.yaml at 759d65fa00f7701c1d832a5c75fe92ca4cc80181 · kubewarden/adm-controller · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
# This file was autogenerated.
# Common settings across multiple charts. These settings will be used
# by more than one chart and they ideally need to match during the
# installation of the charts consuming this values.
global:
  # affinity:
  #   podAffinity:
  #     requiredDuringSchedulingIgnoredDuringExecution:
  #     - labelSelector:
  #         matchExpressions:
  #         - key: security
  #           operator: In
  #           values:
  #           - S1
  #       topologyKey: topology.kubernetes.io/zone
  #   podAntiAffinity:
  #     preferredDuringSchedulingIgnoredDuringExecution:
  #     - weight: 100
  #       podAffinityTerm:
  #         labelSelector:
  #           matchExpressions:
  #           - key: security
  #             operator: In
  #             values:
  #             - S2
  #         topologyKey: topology.kubernetes.io/zone
  #   nodeAffinity:
  #     requiredDuringSchedulingIgnoredDuringExecution:
  #       nodeSelectorTerms:
  #       - matchExpressions:
  #         - key: kubernetes.io/os
  #           operator: In
  #           values:
  #           - linux
  #     preferredDuringSchedulingIgnoredDuringExecution:
  #     - weight: 1
  #       preference:
  #         matchExpressions:
  #         - key: label-1
  #           operator: In
  #           values:
  #           - key-1
  #     - weight: 50
  #       preference:
  #         matchExpressions:
  #         - key: label-2
  #           operator: In
  #           values:
  #           - key-2
  affinity: {}
  # tolerations:
  #   - key: "key1"
  #     operator: "Equal"
  #     value: "value1"
  #     effect: "NoSchedule"
  #   - key: "key1"
  #     operator: "Equal"
  #     value: "value1"
  #     effect: "NoExecute"
  tolerations: []
  # priorityClassName: ""
  cattle:
    systemDefaultRegistry: ghcr.io
  skipNamespaces:
    - calico-apiserver
    - calico-system
    - capi-system
    - cattle-capi-system
    - cattle-alerting
    - cattle-csp-adapter-system
    - cattle-elemental-system
    - cattle-epinio-system
    - cattle-externalip-system
    - cattle-fleet-local-system
    - cattle-fleet-system
    - cattle-gatekeeper-system
    - cattle-global-data
    - cattle-global-nt
    - cattle-impersonation-system
    - cattle-istio
    - cattle-istio-system
    - cattle-logging
    - cattle-logging-system
    - cattle-monitoring-system
    - cattle-neuvector-system
    - cattle-prometheus
    - cattle-provisioning-capi-system
    - cattle-resources-system
    - cattle-sriov-system
    - cattle-system
    - cattle-turtles-system
    - cattle-ui-plugin-system
    - cattle-windows-gmsa-system
    - cert-manager
    - cis-operator-system
    - fleet-default
    - ingress-nginx
    - istio-system
    - kube-node-lease
    - kube-public
    - kube-system
    - longhorn-system
    - rancher-alerting-drivers
    - security-scan
    - tigera-operator
# Settings for kubewarden-controller.
# nameOverride Replaces the release name of the chart in Chart.yaml file when
# this is used to construct Kubernetes object names
nameOverride: ""
# fullnameOverride completely replaces the generated release name
fullnameOverride: ""
# Secrets to pull container images from private registries
imagePullSecrets: []
# -- Additional labels to add to all resources
additionalLabels: {}
#   app: kubewarden-controller
# -- Additional annotations to add to all resources
additionalAnnotations: {}
#   owner: IT-group1
# SecurityContext to be used in the controller and audit-scanner containers. The
# content of the containerSecurityContext will be set directly as the
# securityContext of the container
containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - ALL
# SecurityContext to be used in the controller and audit-scanner pods. The
# content of the podSecurityContext will be set directly as the securityContext
# of the pod
podSecurityContext:
  runAsNonRoot: true
  seccompProfile:
    type: RuntimeDefault
# SecurityContext to be used in the pre-delete-hook job container and pod.
# The content of the next fields will be set directly as the securityContext
# of the container and pod used in the pre-delete-hook job.
preDeleteHook:
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - ALL
  podSecurityContext:
    runAsNonRoot: true
    seccompProfile:
      type: RuntimeDefault
# If true, the controller will always accept admission reviews in the
# deployment namespace. It is recommended to keep this value true unless you
# have a specific reason to disable it. This is a safety flag to avoid policy
# evaluations that could interfere with the Kubewarden stack running in the
# admission controller namespace.
alwaysAcceptAdmissionReviewsOnDeploymentsNamespace: true
# Verbosity of logging. Can be one of 'debug', 'info', 'error'.
logLevel: info
# open-telemetry options
telemetry:
  # Kubewarden controller telemetry configuration allow two OpenTelemetry
  # collector communication options:
  # - sidecar: It will create a Otel collector sidecar and configure the
  # controller and policy server to send metrics and traces to it.
  # - custom: It will configure the controller and policy server to send metrics
  # and traces to a custom collector that is not running as a sidecar.

  # The default configuration is to use the sidecar option. Therefore, if
  # telemetry.metrics or telemetry.tracing are set to true, the sidecar will be
  # deployed. If you want to use a custom collector, set mode to "custom"
  mode: sidecar
  # telemetry.metrics is used to enable/disable the metrics collection and
  # exportation to the OpenTelemetry collector.
  metrics: false
  # telemetry.tracing is used to enable/disable the tracing collection and
  # exportation to the OpenTelemetry collector.
  tracing: false

  # The following settings are mandatory to configure the OpenTelemetry
  # exporter in the controller and policy server to send metrics and traces to
  # a custom collector. These settings are ignored when sidecar mode is used
  custom:
    # telemetry.custom.endpoint is the Otel collector endpoint to send metrics and
    # traces to. It should be in the format https://<hostname>:<port>.
    endpoint: ""
    # telemetry.custom.insecure is used to configure the OpenTelemetry exporter to skip
    # the certificate validation when sending metrics and traces to a remote
    # collector.
    insecure: false
    # The following settings are required to configure the OpenTelemetry exporter
    # in the controller and policy server to send metrics and traces to a remote
    # collector using TLS. Both secrets must be created in the same namespace
    # where the controller is deployed.
    #
    # telemetry.custom.otelCollectorCertificateSecret should contains a key ca.crt
    # storing the certificate to validate the remote collector certificate.
    otelCollectorCertificateSecret: ""
    # telemetry.custom.otelCollectorClientCertificateSecret secret is optional. It's
    # only required when the remote collector requires client authentication
    # (mTLS). It should contains two keys: tls.crt and tls.key storing the client
    # certificate and key respectively.
    otelCollectorClientCertificateSecret: ""

  # The following settings are used to configure the Prometheus metrics and
  # Jaeger tracing when sidecar mode is used. Otherwise, these settings are ignored
  sidecar:
    # telemetry.sidecar.metrics is used to configure the Prometheus metrics exporter
    # in the Otel collector sidecar
    metrics:
      # port of the prometheus exporter and PolicyServer metric service
      port: 8080
    # telemetry.sidecar.tracing is used to configure the Jaeger tracing exporter
    # in the Otel collector sidecar
    tracing:
      jaeger: {}
      # OTLP/Jaeger endpoint to send traces to
      # endpoint: "all-in-one-collector.jaeger.svc.cluster.local:4317"
      # tls:
      #  insecure: true
image:
  # The registry is defined in the global.cattle.systemDefaultRegistry value
  # controller image to be used
  repository: "kubewarden/kubewarden-controller"
  # image tag
  tag: v1.35.0
  pullPolicy: IfNotPresent
preDeleteJob:
  image:
    # The registry is defined in the global.cattle.systemDefaultRegistry value
    # kuberlr-kubectl image to be used in the pre-delete helm hook.
    repository: "rancher/kuberlr-kubectl"
    tag: v8.0.0
# kubewarden-controller deployment settings:
podAnnotations: {}
nodeSelector: {}
# additionalEnvironmentVariables is a list of additional environment variables
# to inject into the controller container.
# Each entry is a standard Kubernetes EnvVar object (name, value, valueFrom, …).
# Example:
#   additionalEnvironmentVariables:
#     - name: MY_VAR
#       value: "my-value"
additionalEnvironmentVariables: []
# Resource limits & requests
# Ref: https://kubernetes.io/docs/user-guide/compute-resources/
resources:
  controller:
    limits:
      cpu: 500m
      memory: 200Mi
    requests:
      cpu: 250m
      memory: 70Mi
  auditScanner:
    limits:
      cpu: 500m
      memory: 1Gi
    requests:
      cpu: 250m
      memory: 300Mi
  preDeleteJob:
    limits:
      cpu: 100m
      memory: 128Mi
    requests:
      cpu: 50m
      memory: 64Mi
  postInstallJob:
    limits:
      cpu: 100m
      memory: 128Mi
    requests:
      cpu: 50m
      memory: 64Mi
mTLS:
  # Enable mutual TLS authentication. This will require TLS connections with both
  # the server and client being authenticated, between the kubewarden
  # policy-servers and the Kubernetes API server, as well as between the
  # policy-servers and the audit-scanner.
  # Enabling this feature will require the Kubernetes API server to be
  # configured. If that is not achievable, consider using a service mesh.
  enable: false
  # name of the ConfigMap in kubewarden-controller namespace containing the
  # client CA certificate. The ConfigMap must contain a data.client-ca.crt key
  # with the CA cert in PEM format, encoded in base64.
  configMapName: ""
# Controller replicas
replicas: 1
auditScanner:
  enable: true
  policyReporter: false
  # The default audit-scanner ServiceAccount is bound to the ClusterRoles:
  # - view: Allows read-only access to most objects in a namespace.
  #   Does not allow viewing secrets, roles or role bindings.
  # - audit-scanner-cluster-role: Allows read-write to Kubewarden resources
  #   and Reports
  serviceAccountName: audit-scanner
  image:
    # The registry is defined in the common.cattle.systemDefaultRegistry value
    # kubectl image to be used in the pre-delete helm hook
    repository: "kubewarden/audit-scanner"
    tag: v1.35.0
    pullPolicy: IfNotPresent
  cronJob:
    schedule: "*/60 * * * *" # every 60 minutes
    failedJobsHistoryLimit: 5
    successfulJobsHistoryLimit: 3
  containerRestartPolicy: Never
  # Audit scanner allow users to use Kubernetes policy working group
  # PolicyReports CRDs or OpenReports CRDs to store the results of the
  # audits. Therefore, user can choose between: openreports or policyreport.
  # If not defined, the audit scanner default value is used.
  #
  # The CRDs used to store the audit scanner results must be installed in the
  # cluster. You can install both of them enabling the right flags in the
  # kubewarden-crds installation. If you want to use the PolicyReports CRDs,
  # enable the installPolicyReportCRDs flag. If you want to use the
  # OpenReports CRDs, enable the installOpenReportCRDs flag.
  reportCRDsKind: "openreports"
  # Additional namespaces that the audit scanner will not scan:
  skipAdditionalNamespaces: []
  # level of logs. One of trace, debug, info, warn, error, fatal
  logLevel: info
  # Output result of scan to stdout in JSON upon completion
  outputScan: false
  # Configures whether a (Cluster)PolicyReport is stored in Kubernetes/etcd or not
  disableStore: false
  # Configures the number of Namespaces to be audited in parallel
  parallelNamespaces: 1
  # Configures the number of resources to be audited in parallel
  parallelResources: 100
  # Configures the number of policies to evaluate for a given resource in parallel
  parallelPolicies: 5
  # Configures the number of resources to fetch from the Kubernetes API server when paginating
  pageSize: 100
# Values to configure the policy reporter subchart enabled by the
# auditScanner.policyReporter flag
policy-reporter:
  # image:
  #   registry: ghcr.io
  #   repository: kyverno/policy-reporter
  #   tag: ~
  ui:
    enabled: true
    # image:
    #   registry: ghcr.io
    #   repository: kyverno/policy-reporter-ui
    #   tag: ~
    views:
      logs: false
    logo:
      disabled: true
  sourceFilters:
    - selector:
        source: kubewarden