Parameters

The parent key for all of the following parameters is kyverno.

`namespace`

type	string
default	`syn-kyverno`

The namespace in which to deploy this component.

`images`

type	dictionary

Dictionary containing the container images used by this component.

`clusterpolicies`

type

dictionary

default

{}

example

clusterpolicies:
  restrict-registries:  (1)
    metadata:
      annotations:
        policies.kyverno.io/title: Example Policy
        policies.kyverno.io/subject: Pod
      spec:
        validationFailureAction: enforce
        background: true
        rules:
          - ...

1	Key will be used as the default value for `metadata.name`

Dictionary containing ClusterPolicy.kyverno.io/v1 objects to be managed. Previously defined policies can be removed by setting policy-name: null in the dictionary.

`monitoring.enabled`

type	boolean
default	`true`

Controls if ServiceMonitor and PrometheusRule objects are created.

`manifest_version`

type

string

The version of the kyverno manifests to download.

`resourceFilters`

type

array

The admission webhook checks if a policy is applicable on all admission requests. The Kubernetes kinds that shouldn’t be processed. resourceFilters must be a sequence of one or more [<Kind>,<Namespace>,<Name>]` entries with as a wildcard. Thus, an item [Node,,*] means that admissions of kind Node in any namespace and with any name will be ignored. Wildcards are also supported in each of these sequences.

For example, the sequence [Pod,foo-system,redis*] filters out kind Pod in namespace foo-system having names beginning with redis.

`excludeGroupRole`

type

array

Exclude group roles from a user request.

`generateSuccessEvents`

type	string
default	`'false'`

Specifies whether (true/false) to generate success events.

`extraArgs`

type	array
default	`[]`
example	`extraArgs: - -v=2`

Allows passing extra arguments to Kyverno.

`containerSecurityContext`

type	dict
default	`{}`

This parameter allows customizing the container security context for the Kyverno deployment’s containers (both init containers, and regular containers). By default, the security contexts present in the upstream Kustomization are used.

On OpenShift 4.10 or older, where the upstream security context isn’t compatible with the restricted SCC, you can provide containerSecurityContext: null to completely drop the upstream container security context.

If a dict is provided, it’s merged with the upstream security context using a standard Kustomize strategic merge patch.

`additionalClusterRoles`

type

object

default

{}

example

my-name:
  - (1)
    apiGroups:
      - rbac.authorization.k8s.io
    verbs:
      - '*'
    resources:
      - rolebindings

1	The spec of the `rules` property within `ClusterRole` is taken verbatim.

Generates additional ClusterRole. This is useful if you want to deploy Kyverno policies that generate resources, but the Kyverno ServiceAccount might have insufficient RBAC permissions to do so.

See also additionalRoleBindings to bind the Kyverno ServiceAccount to the new roles.

The metadata.name is prefixed with kyverno:user: to avoid name clashes with existing resources.

`additionalRoleBindings`

type

object

default

{}

example

allowManageRoleBindings: (1)
  kind: ClusterRole
  name: kyverno:user:my-name (2)

1	This is the `metadata.name` of the RoleBinding.
2	The name of the Role or ClusterRole to bind to.

Generates additional ClusterRoleBinding s in the Kyverno namespace for the Kyverno SystemAccount. This is useful if you want to deploy Kyverno policies that generate resources in other namespaces, but the Kyverno ServiceAccount might have insufficient RBAC permissions to do so.

See also additionalClusterRoles if the necessary ClusterRole doesn’t exist.

The metadata.name is prefixed with kyverno:user: to avoid name clashes with existing resources.

If you need to reference a ClusterRole defined in additionalClusterRoles, you need to prefix the role name with kyverno:user: as shown in the example.

`replicas`

type	int
default	`3`

The number of Kyverno replicas. Three or more replicas are recommended for high availability.

`podDisruptionBudget`

type	dict
default	`{minAvailable: 1}`

Limit the number of concurrent disruptions. Set {minAvailable: 0} to disable. See kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#poddisruptionbudget-v1-policy. .spec.selector is injected from the deployment.

`nodeSelectorRole`

type	enum
values	`master`, `infra`, `null`
default	`master`

The node role to run Kyverno pods on. null equals no selector.

`affinity`

type

string

Affinity configuration for the Kyverno pods. See kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#affinity-v1-core

`secrets`

type	dict
default	`{}`
example	`myregistry: type: kubernetes.io/dockerconfigjson stringData: .dockerconfigjson: "?{vaultkv:t-my-tenant/c-my-cluster/kyverno/image_pullsecret}"`

This parameter allows users to deploy arbitrary secrets. Each entry is transformed into a Secret resource. The key is used as the name of the resulting resource. The provided value is merged with an empty Secret resource. The component doesn’t validate the provided secret configurations.

Users can remove secrets configured higher-up in the hierarchy by setting the corresponding value to null.

Always use stringData when using Vault references in secret configurations.