Parameters

The parent key for all of the following parameters is kyverno.

namespace

type

string

default

syn-kyverno

The namespace in which to deploy this component.

images

type

dictionary

Dictionary containing the container images used by this component.

monitoring.enabled

type

boolean

default

true

Controls if ServiceMonitor and PrometheusRule objects are created.

manifest_version

type

string

The version of the kyverno manifests to download.

resourceFilters

type

array

The admission webhook checks if a policy is applicable on all admission requests. The Kubernetes kinds that shouldn’t be processed. resourceFilters must be a sequence of one or more [<Kind>,<Namespace>,<Name>]` entries with as a wildcard. Thus, an item [Node,,*] means that admissions of kind Node in any namespace and with any name will be ignored. Wildcards are also supported in each of these sequences.

For example, the sequence [Pod,foo-system,redis*] filters out kind Pod in namespace foo-system having names beginning with redis.

excludeGroupRole

type

array

Exclude group roles from a user request.

generateSuccessEvents

type

string

default

'false'

Specifies whether (true/false) to generate success events.

extraArgs

type

array

default

[]

example
extraArgs:
- -v=2

Allows passing extra arguments to Kyverno.

additionalClusterRoles

type

object

default

{}

example
my-name:
  - (1)
    apiGroups:
      - rbac.authorization.k8s.io
    verbs:
      - '*'
    resources:
      - rolebindings
1 The spec of the rules property within ClusterRole is taken verbatim.

Generates additional ClusterRole. This is useful if you want to deploy Kyverno policies that generate resources, but the Kyverno ServiceAccount might have insufficient RBAC permissions to do so.

See also additionalRoleBindings to bind the Kyverno ServiceAccount to the new roles.

The metadata.name is prefixed with kyverno:user: to avoid name clashes with existing resources.

additionalRoleBindings

type

object

default

{}

example
allowManageRoleBindings: (1)
  kind: ClusterRole
  name: kyverno:user:my-name (2)
1 This is the metadata.name of the RoleBinding.
2 The name of the Role or ClusterRole to bind to.

Generates additional ClusterRoleBinding s in the Kyverno namespace for the Kyverno SystemAccount. This is useful if you want to deploy Kyverno policies that generate resources in other namespaces, but the Kyverno ServiceAccount might have insufficient RBAC permissions to do so.

See also additionalClusterRoles if the necessary ClusterRole doesn’t exist.

The metadata.name is prefixed with kyverno:user: to avoid name clashes with existing resources.
If you need to reference a ClusterRole defined in additionalClusterRoles, you need to prefix the role name with kyverno:user: as shown in the example.

replicas

type

int

default

3

The number of Kyverno replicas. Three or more replicas are recommended for high availability.

podDisruptionBudget

type

dict

default

{minAvailable: 1}

Limit the number of concurrent disruptions. Set {minAvailable: 0} to disable. See kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#poddisruptionbudget-v1-policy. .spec.selector is injected from the deployment.

nodeSelectorRole

type

enum

values

master, infra, null

default

master

The node role to run Kyverno pods on. null equals no selector.

affinity

type

string

secrets

type

dict

default

{}

example
myregistry:
  type: kubernetes.io/dockerconfigjson
  stringData:
    .dockerconfigjson: "?{vaultkv:t-my-tenant/c-my-cluster/kyverno/image_pullsecret}"

This parameter allows users to deploy arbitrary secrets. Each entry is transformed into a Secret resource. The key is used as the name of the resulting resource. The provided value is merged with an empty Secret resource. The component doesn’t validate the provided secret configurations.

Users can remove secrets configured higher-up in the hierarchy by setting the corresponding value to null.

Always use stringData when using Vault references in secret configurations.