diff --git a/gatekeeper/values.yaml b/gatekeeper/values.yaml index d01ace9..0b0c6e7 100644 --- a/gatekeeper/values.yaml +++ b/gatekeeper/values.yaml @@ -1,277 +1,278 @@ -gatekeeper: - replicas: 3 - revisionHistoryLimit: 10 - auditInterval: 60 - metricsBackends: ["prometheus"] - auditMatchKindOnly: false - constraintViolationsLimit: 20 - auditFromCache: false - disableMutation: false - disableValidatingWebhook: false - validatingWebhookName: gatekeeper-validating-webhook-configuration - validatingWebhookTimeoutSeconds: 3 - validatingWebhookFailurePolicy: Ignore - validatingWebhookAnnotations: {} - validatingWebhookExemptNamespacesLabels: {} - validatingWebhookObjectSelector: {} - validatingWebhookCheckIgnoreFailurePolicy: Fail - validatingWebhookCustomRules: {} - validatingWebhookURL: null - enableDeleteOperations: false - enableExternalData: true - enableGeneratorResourceExpansion: true - enableTLSHealthcheck: false - maxServingThreads: -1 - mutatingWebhookName: gatekeeper-mutating-webhook-configuration - mutatingWebhookFailurePolicy: Ignore - mutatingWebhookReinvocationPolicy: Never - mutatingWebhookAnnotations: {} - mutatingWebhookExemptNamespacesLabels: {} - mutatingWebhookObjectSelector: {} - mutatingWebhookTimeoutSeconds: 1 - mutatingWebhookCustomRules: {} - mutatingWebhookURL: null - mutationAnnotations: false - auditChunkSize: 500 - logLevel: INFO - logDenies: false - logMutations: false - emitAdmissionEvents: false - emitAuditEvents: false - admissionEventsInvolvedNamespace: false - auditEventsInvolvedNamespace: false - resourceQuota: true - externaldataProviderResponseCacheTTL: 3m - image: - repository: openpolicyagent/gatekeeper - crdRepository: openpolicyagent/gatekeeper-crds - release: v3.15.0-beta.0 - pullPolicy: Always - pullSecrets: [] - preInstall: - crdRepository: - image: - repository: null - tag: v3.15.0-beta.0 - postUpgrade: - labelNamespace: - enabled: false - image: - repository: openpolicyagent/gatekeeper-crds - tag: v3.15.0-beta.0 - pullPolicy: IfNotPresent - pullSecrets: [] - extraNamespaces: [] - podSecurity: ["pod-security.kubernetes.io/audit=restricted", - "pod-security.kubernetes.io/audit-version=latest", - "pod-security.kubernetes.io/warn=restricted", - "pod-security.kubernetes.io/warn-version=latest", - "pod-security.kubernetes.io/enforce=restricted", - "pod-security.kubernetes.io/enforce-version=v1.24"] - extraAnnotations: {} - priorityClassName: "" - affinity: {} - tolerations: [] - nodeSelector: {kubernetes.io/os: linux} - resources: {} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsGroup: 999 - runAsNonRoot: true - runAsUser: 1000 - postInstall: - labelNamespace: - enabled: true - extraRules: [] - image: - repository: openpolicyagent/gatekeeper-crds - tag: v3.15.0-beta.0 - pullPolicy: IfNotPresent - pullSecrets: [] - extraNamespaces: [] - podSecurity: ["pod-security.kubernetes.io/audit=restricted", - "pod-security.kubernetes.io/audit-version=latest", - "pod-security.kubernetes.io/warn=restricted", - "pod-security.kubernetes.io/warn-version=latest", - "pod-security.kubernetes.io/enforce=restricted", - "pod-security.kubernetes.io/enforce-version=v1.24"] - extraAnnotations: {} - priorityClassName: "" - probeWebhook: - enabled: true - image: - repository: curlimages/curl - tag: 7.83.1 - pullPolicy: IfNotPresent - pullSecrets: [] - waitTimeout: 60 - httpTimeout: 2 - insecureHTTPS: false - priorityClassName: "" - affinity: {} - tolerations: [] - nodeSelector: {kubernetes.io/os: linux} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsGroup: 999 - runAsNonRoot: true - runAsUser: 1000 - preUninstall: - deleteWebhookConfigurations: - extraRules: [] - enabled: false - image: - repository: openpolicyagent/gatekeeper-crds - tag: v3.15.0-beta.0 - pullPolicy: IfNotPresent - pullSecrets: [] - priorityClassName: "" - affinity: {} - tolerations: [] - nodeSelector: {kubernetes.io/os: linux} - resources: {} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsGroup: 999 - runAsNonRoot: true - runAsUser: 1000 - podAnnotations: {} - auditPodAnnotations: {} - podLabels: {} - podCountLimit: "100" - secretAnnotations: {} - enableRuntimeDefaultSeccompProfile: true - controllerManager: - exemptNamespaces: [] - exemptNamespacePrefixes: [] - hostNetwork: false - dnsPolicy: ClusterFirst - port: 8443 - metricsPort: 8888 - healthPort: 9090 - readinessTimeout: 1 - livenessTimeout: 1 - priorityClassName: system-cluster-critical - disableCertRotation: false - tlsMinVersion: 1.3 - clientCertName: "" - strategyType: RollingUpdate - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: gatekeeper.sh/operation - operator: In - values: - - webhook - topologyKey: kubernetes.io/hostname - weight: 100 - topologySpreadConstraints: [] - tolerations: [] - nodeSelector: {kubernetes.io/os: linux} - resources: - limits: - memory: 512Mi - requests: - cpu: 100m - memory: 512Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsGroup: 999 - runAsNonRoot: true - runAsUser: 1000 - podSecurityContext: - fsGroup: 999 - supplementalGroups: - - 999 - extraRules: [] - networkPolicy: - enabled: false - ingress: { } - # - from: - # - ipBlock: - # cidr: 0.0.0.0/0 - audit: - enablePubsub: false - connection: audit-connection - channel: audit-channel - hostNetwork: false - dnsPolicy: ClusterFirst - metricsPort: 8888 - healthPort: 9090 - readinessTimeout: 1 - livenessTimeout: 1 - priorityClassName: system-cluster-critical - disableCertRotation: false - affinity: {} - tolerations: [] - nodeSelector: {kubernetes.io/os: linux} - resources: - limits: - memory: 512Mi - requests: - cpu: 100m - memory: 512Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsGroup: 999 - runAsNonRoot: true - runAsUser: 1000 - podSecurityContext: - fsGroup: 999 - supplementalGroups: - - 999 - writeToRAMDisk: false - extraRules: [] - crds: - affinity: {} - tolerations: [] - nodeSelector: {kubernetes.io/os: linux} - resources: {} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - pdb: - controllerManager: - minAvailable: 1 - service: {} - disabledBuiltins: ["{http.send}"] - psp: - enabled: true - upgradeCRDs: - enabled: true - extraRules: [] - priorityClassName: "" - rbac: - create: true - externalCertInjection: - enabled: false - secretName: gatekeeper-webhook-server-cert +#gatekeeper: +# replicas: 3 +# revisionHistoryLimit: 10 +# auditInterval: 60 +# metricsBackends: ["prometheus"] +# auditMatchKindOnly: false +# constraintViolationsLimit: 20 +# auditFromCache: false +# disableMutation: false +# disableValidatingWebhook: false +# validatingWebhookName: gatekeeper-validating-webhook-configuration +# validatingWebhookTimeoutSeconds: 3 +# validatingWebhookFailurePolicy: Ignore +# validatingWebhookAnnotations: {} +# validatingWebhookExemptNamespacesLabels: {} +# validatingWebhookObjectSelector: {} +# validatingWebhookCheckIgnoreFailurePolicy: Fail +# validatingWebhookCustomRules: {} +# validatingWebhookURL: null +# enableDeleteOperations: false +# enableExternalData: true +# enableGeneratorResourceExpansion: true +# enableTLSHealthcheck: false +# maxServingThreads: -1 +# mutatingWebhookName: gatekeeper-mutating-webhook-configuration +# mutatingWebhookFailurePolicy: Ignore +# mutatingWebhookReinvocationPolicy: Never +# mutatingWebhookAnnotations: {} +# mutatingWebhookExemptNamespacesLabels: {} +# mutatingWebhookObjectSelector: {} +# mutatingWebhookTimeoutSeconds: 1 +# mutatingWebhookCustomRules: {} +# mutatingWebhookURL: null +# mutationAnnotations: false +# auditChunkSize: 500 +# logLevel: INFO +# logDenies: false +# logMutations: false +# emitAdmissionEvents: false +# emitAuditEvents: false +# admissionEventsInvolvedNamespace: false +# auditEventsInvolvedNamespace: false +# resourceQuota: true +# externaldataProviderResponseCacheTTL: 3m +# image: +# repository: openpolicyagent/gatekeeper +# crdRepository: openpolicyagent/gatekeeper-crds +# release: v3.15.0-beta.0 +# pullPolicy: Always +# pullSecrets: [] +# preInstall: +# crdRepository: +# image: +# repository: null +# tag: v3.15.0-beta.0 +# postUpgrade: +# labelNamespace: +# enabled: false +# image: +# repository: openpolicyagent/gatekeeper-crds +# tag: v3.15.0-beta.0 +# pullPolicy: IfNotPresent +# pullSecrets: [] +# extraNamespaces: [] +# podSecurity: ["pod-security.kubernetes.io/audit=restricted", +# "pod-security.kubernetes.io/audit-version=latest", +# "pod-security.kubernetes.io/warn=restricted", +# "pod-security.kubernetes.io/warn-version=latest", +# "pod-security.kubernetes.io/enforce=restricted", +# "pod-security.kubernetes.io/enforce-version=v1.24"] +# extraAnnotations: {} +# priorityClassName: "" +# affinity: {} +# tolerations: [] +# nodeSelector: {kubernetes.io/os: linux} +# resources: {} +# securityContext: +# allowPrivilegeEscalation: false +# capabilities: +# drop: +# - ALL +# readOnlyRootFilesystem: true +# runAsGroup: 999 +# runAsNonRoot: true +# runAsUser: 1000 +# postInstall: +# labelNamespace: +# enabled: true +# extraRules: [] +# image: +# repository: openpolicyagent/gatekeeper-crds +# tag: v3.15.0-beta.0 +# pullPolicy: IfNotPresent +# pullSecrets: [] +# extraNamespaces: [] +# podSecurity: ["pod-security.kubernetes.io/audit=restricted", +# "pod-security.kubernetes.io/audit-version=latest", +# "pod-security.kubernetes.io/warn=restricted", +# "pod-security.kubernetes.io/warn-version=latest", +# "pod-security.kubernetes.io/enforce=restricted", +# "pod-security.kubernetes.io/enforce-version=v1.24"] +# extraAnnotations: {} +# priorityClassName: "" +# probeWebhook: +# enabled: true +# image: +# repository: curlimages/curl +# tag: 7.83.1 +# pullPolicy: IfNotPresent +# pullSecrets: [] +# waitTimeout: 60 +# httpTimeout: 2 +# insecureHTTPS: false +# priorityClassName: "" +# affinity: {} +# tolerations: [] +# nodeSelector: {kubernetes.io/os: linux} +# securityContext: +# allowPrivilegeEscalation: false +# capabilities: +# drop: +# - ALL +# readOnlyRootFilesystem: true +# runAsGroup: 999 +# runAsNonRoot: true +# runAsUser: 1000 +# preUninstall: +# deleteWebhookConfigurations: +# extraRules: [] +# enabled: false +# image: +# repository: openpolicyagent/gatekeeper-crds +# tag: v3.15.0-beta.0 +# pullPolicy: IfNotPresent +# pullSecrets: [] +# priorityClassName: "" +# affinity: {} +# tolerations: [] +# nodeSelector: {kubernetes.io/os: linux} +# resources: {} +# securityContext: +# allowPrivilegeEscalation: false +# capabilities: +# drop: +# - ALL +# readOnlyRootFilesystem: true +# runAsGroup: 999 +# runAsNonRoot: true +# runAsUser: 1000 +# podAnnotations: {} +# auditPodAnnotations: {} +# podLabels: {} +# podCountLimit: "100" +# secretAnnotations: {} +# enableRuntimeDefaultSeccompProfile: true +# controllerManager: +# exemptNamespaces: [] +# exemptNamespacePrefixes: [] +# hostNetwork: false +# dnsPolicy: ClusterFirst +# port: 8443 +# metricsPort: 8888 +# healthPort: 9090 +# readinessTimeout: 1 +# livenessTimeout: 1 +# priorityClassName: system-cluster-critical +# disableCertRotation: false +# tlsMinVersion: 1.3 +# clientCertName: "" +# strategyType: RollingUpdate +# affinity: +# podAntiAffinity: +# preferredDuringSchedulingIgnoredDuringExecution: +# - podAffinityTerm: +# labelSelector: +# matchExpressions: +# - key: gatekeeper.sh/operation +# operator: In +# values: +# - webhook +# topologyKey: kubernetes.io/hostname +# weight: 100 +# topologySpreadConstraints: [] +# tolerations: [] +# nodeSelector: {kubernetes.io/os: linux} +# resources: +# limits: +# memory: 512Mi +# requests: +# cpu: 100m +# memory: 512Mi +# securityContext: +# allowPrivilegeEscalation: false +# capabilities: +# drop: +# - ALL +# readOnlyRootFilesystem: true +# runAsGroup: 999 +# runAsNonRoot: true +# runAsUser: 1000 +# podSecurityContext: +# fsGroup: 999 +# supplementalGroups: +# - 999 +# extraRules: [] +# networkPolicy: +# enabled: false +# ingress: { } +# # - from: +# # - ipBlock: +# # cidr: 0.0.0.0/0 +# audit: +# enablePubsub: false +# connection: audit-connection +# channel: audit-channel +# hostNetwork: false +# dnsPolicy: ClusterFirst +# metricsPort: 8888 +# healthPort: 9090 +# readinessTimeout: 1 +# livenessTimeout: 1 +# priorityClassName: system-cluster-critical +# disableCertRotation: false +# affinity: {} +# tolerations: [] +# nodeSelector: {kubernetes.io/os: linux} +# resources: +# limits: +# memory: 512Mi +# requests: +# cpu: 100m +# memory: 512Mi +# securityContext: +# allowPrivilegeEscalation: false +# capabilities: +# drop: +# - ALL +# readOnlyRootFilesystem: true +# runAsGroup: 999 +# runAsNonRoot: true +# runAsUser: 1000 +# podSecurityContext: +# fsGroup: 999 +# supplementalGroups: +# - 999 +# writeToRAMDisk: false +# extraRules: [] +# crds: +# affinity: {} +# tolerations: [] +# nodeSelector: {kubernetes.io/os: linux} +# resources: {} +# securityContext: +# allowPrivilegeEscalation: false +# capabilities: +# drop: +# - ALL +# readOnlyRootFilesystem: true +# runAsGroup: 65532 +# runAsNonRoot: true +# runAsUser: 65532 +# pdb: +# controllerManager: +# minAvailable: 1 +# service: {} +# disabledBuiltins: ["{http.send}"] +# psp: +# enabled: true +# upgradeCRDs: +# enabled: true +# extraRules: [] +# priorityClassName: "" +# rbac: +# create: true +# externalCertInjection: +# enabled: false +# secretName: gatekeeper-webhook-server-cert +# \ No newline at end of file