# Override the chart name used for all resources nameOverride: "" image: registry: ghcr.io repository: kyverno/policy-reporter pullPolicy: IfNotPresent tag: 2.18.2 imagePullSecrets: [] priorityClassName: "" replicaCount: 1 revisionHistoryLimit: 10 deploymentStrategy: {} # rollingUpdate: # maxSurge: 25% # maxUnavailable: 25% # type: RollingUpdate # When using a custom port together with the PolicyReporter UI # the port has also to be changed in the UI subchart as well because it can't access the parent values. # You can change the port under `ui.policyReporter.port` port: name: http number: 8080 # Key/value pairs that are attached to all resources. annotations: {} # Create cluster role policies rbac: enabled: true serviceAccount: # Specifies whether a service account should be created create: true # Annotations to add to the service account annotations: {} # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template name: "" service: enabled: true ## configuration of service # key/value annotations: {} # key/value labels: {} type: ClusterIP # integer number. This is port for service port: 8080 podSecurityContext: fsGroup: 1234 securityContext: runAsUser: 1234 runAsNonRoot: true privileged: false allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: drop: - ALL seccompProfile: type: RuntimeDefault # Key/value pairs that are attached to pods. podAnnotations: {} # Key/value pairs that are attached to pods. podLabels: {} # Allow additional env variables to be added envVars: [] resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little # resources, such as Minikube. If you do want to specify resources, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'resources:'. # limits: # memory: 100Mi # cpu: 10m # requests: # memory: 75Mi # cpu: 5m # Enable a NetworkPolicy for this chart. Useful on clusters where Network Policies are # used and configured in a default-deny fashion. networkPolicy: enabled: false # Kubernetes API Server egress: - to: ports: - protocol: TCP port: 6443 ingress: [] ## Set to true to enable ingress record generation # ref to: https://kubernetes.io/docs/concepts/services-networking/ingress/ ingress: enabled: false className: "" # key/value labels: {} # key/value annotations: {} # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" hosts: - host: chart-example.local paths: [] tls: [] # - secretName: chart-example-tls # hosts: # - chart-example.local logging: encoding: console # possible encodings are console and json logLevel: 0 # default info development: false # more human readable structure, enables stacktraces and removes log sampling api: logging: false # enable debug API access logging, sets logLevel to debug # REST API rest: enabled: false # Prometheus Metrics API metrics: enabled: false mode: detailed # available modes are detailed, simple and custom customLabels: [] # only used for custom mode. Supported fields are: ["namespace", "rule", "policy", "report" // PolicyReport name, "kind" // resource kind, "name" // resource name, "status", "severity", "category", "source"] # filter: # sources: # exclude: ["Trivy CIS Kube Bench"] # status: # exclude: ["pass", "skip"] profiling: enabled: false # amount of queue workers for PolicyReport resource processing worker: 5 # Filter PolicyReport resources to process reportFilter: namespaces: # Process only PolicyReport resources from an included namespace, wildcards are supported include: [] # Ignore all PolicyReport resources from a excluded namespace, wildcards are supported # exclude will be ignored if an include filter exists exclude: [] clusterReports: # Disable the processing of ClusterPolicyReports disabled: false # customize source specific logic like result ID generation sourceConfig: {} # sourcename: # customID: # enabled: true # fields: ["resource", "policy", "rule", "category", "result", "message"] # enable policy-report-ui ui: enabled: false kyvernoPlugin: enabled: false # Settings for the monitoring subchart monitoring: enabled: false database: # Database Type, supported: mysql, postgres, mariadb type: "" database: "" # Database Name username: "" password: "" host: "" enableSSL: false # instead of configure the individual values you can also provide an DSN string # example postgres: postgres://postgres:password@localhost:5432/postgres?sslmode=disable # example mysql: root:password@tcp(localhost:3306)/test?tls=false dsn: "" # configure an existing secret as source for your values # supported fields: username, password, host, dsn, database secretRef: "" # use an mounted secret as source for your values, required the information in JSON format # supported fields: username, password, host, dsn, database mountedSecret: "" global: # available plugins plugins: # enable kyverno for Policy Reporter UI and monitoring kyverno: false # The name of service policy-report. Defaults to ReleaseName. backend: "" # overwrite the fullname of all resources including subcharts fullnameOverride: "" # configure the namespace of all resources including subcharts namespace: "" # additional labels added on each resource labels: {} # basicAuth for APIs and metrics basicAuth: # HTTP BasicAuth username username: "" # HTTP BasicAuth password password: "" # read credentials from secret secretRef: "" emailReports: clusterName: "" # (optional) - displayed in the email report if configured titlePrefix: "Report" # title prefix in the email subject smtp: secret: "" # (optional) secret name to provide the complete or partial SMTP configuration host: "" port: 465 username: "" password: "" from: "" # displayed from email address encryption: "" # default is none, supports ssl/tls and starttls skipTLS: false certificate: "" # basic summary report summary: enabled: false schedule: "0 8 * * *" # CronJob schedule defines when the report will be send activeDeadlineSeconds: 300 # timeout in seconds backoffLimit: 3 # retry counter ttlSecondsAfterFinished: 0 restartPolicy: Never # pod restart policy to: [] # list of receiver email addresses filter: {} # optional filters # disableClusterReports: false # remove ClusterPolicyResults from Reports # namespaces: # include: [] # exclude: [] # sources: # include: [] # exclude: [] channels: [] # (optional) channels can be used to to send only a subset of namespaces / sources to dedicated email addresses channels: [] # (optional) channels can be used to to send only a subset of namespaces / sources to dedicated email addresses # - to: ['team-a@company.org'] # filter: # disableClusterReports: true # namespaces: # include: ['team-a-*'] # sources: # include: ['Kyverno'] # violation summary report violations: enabled: false schedule: "0 8 * * *" # CronJob schedule defines when the report will be send activeDeadlineSeconds: 300 # timeout in seconds backoffLimit: 3 # retry counter ttlSecondsAfterFinished: 0 restartPolicy: Never # pod restart policy to: [] # list of receiver email addresses filter: {} # optional filters # disableClusterReports: false # remove ClusterPolicyResults from Reports # namespaces: # include: [] # exclude: [] # sources: # include: [] # exclude: [] channels: [] # (optional) channels can be used to to send only a subset of namespaces / sources to dedicated email addresses channels: [] # (optional) channels can be used to to send only a subset of namespaces / sources to dedicated email addresses # - to: ['team-a@company.org'] # filter: # disableClusterReports: true # namespaces: # include: ['team-a-*'] # sources: # include: ['Kyverno'] resources: {} # limits: # memory: 100Mi # cpu: 10m # requests: # memory: 75Mi # cpu: 5m # Reference a configuration which already exists instead of creating one existingTargetConfig: enabled: false # Name of the secret with the config name: "" # subPath within the secret (defaults to config.yaml) subPath: "" # Supported targets for new PolicyReport Results target: loki: # loki host address host: "" # path to your custom certificate # can be added under extraVolumes certificate: "" # skip TLS verification if necessary skipTLS: false # receive the host from an existing secret instead secretRef: "" # Mounted secret path by Secrets Controller, secret should be in json format mountedSecret: "" # loki api path, defaults to "/api/prom/push" (deprecated) path: "" # minimum priority "" < info < warning < critical < error minimumPriority: "" # list of sources which should send to loki sources: [] # Skip already existing PolicyReportResults on startup skipExistingOnStartup: true # Added as additional labels to each Loki event customLabels: {} # Additional custom HTTP Headers headers: {} # HTTP BasicAuth credentials for Loki username: "" password: "" # Filter Results which should send to this target by report labels, namespaces, priorities or policies # Wildcars for namespaces and policies are supported, you can either define exclude or include values # Filters are available for all targets except the UI filter: {} # namespaces: # include: ["develop"] # priorities: # exclude: ["debug", "info", "error"] # labels: # include: ["app", "owner:team-a", "monitoring:*"] channels: [] # - host: "http://loki.loki-stack:3100" # sources: [] # customLabels: {} # filter: # namespaces: # include: ["develop"] # priorities: # exclude: ["debug", "info", "error"] # reportLabels: # . include: ["app", "owner:team-b"] elasticsearch: # elasticsearch host address host: "" # path to your custom certificate # can be added under extraVolumes certificate: "" # skip TLS verification if necessary skipTLS: false # elasticsearch index (default: policy-reporter) index: "" # elasticsearch username für HTTP Basic Auth username: "" # elasticsearch password für HTTP Basic Auth password: "" # elasticsearch apiKey für apiKey authentication apiKey: "" # receive the host, username and/or password,apiKey from an existing secret instead secretRef: "" # Mounted secret path by Secrets Controller, secret should be in json format mountedSecret: "" # elasticsearch index rotation and index suffix # possible values: daily, monthly, annually, none (default: daily) rotation: "" # minimum priority "" < info < warning < critical < error minimumPriority: "" # list of sources which should send to elasticsearch sources: [] # Skip already existing PolicyReportResults on startup skipExistingOnStartup: true # https://www.elastic.co/blog/moving-from-types-to-typeless-apis-in-elasticsearch-7-0 keeping as false for retrocompatibility. typelessApi: false # Added as additional properties to each elasticsearch event customFields: {} # filter results send by namespaces, policies and priorities filter: {} # add additional elasticsearch channels with different configurations and filters channels: [] slack: # slack app webhook address webhook: "" # slack channel channel: "" # receive the webhook from an existing secret instead secretRef: "" # Mounted secret path by Secrets Controller, secret should be in json format mountedSecret: "" # minimum priority "" < info < warning < critical < error minimumPriority: "" # list of sources which should send to slack sources: [] # Skip already existing PolicyReportResults on startup skipExistingOnStartup: true # Added as additional fields to each Slack event customFields: {} # filter results send by namespaces, policies and priorities filter: {} # add additional slack channels with different configurations and filters channels: [] # - webhook: "https://slack.webhook1" # channel: "" # filter: # namespaces: # include: ["develop"] # priorities: # exclude: ["debug", "info", "error"] # policies: # include: ["require-run-as-nonroot"] # reportLabels: # . include: ["app", "owner:team-b"] # - webhook: "https://slack.webhook2" # minimumPriority: "warning" # filter: # namespaces: # include: ["team-a-*"] discord: # discord app webhook address webhook: "" # receive the webhook from an existing secret instead secretRef: "" # Mounted secret path by Secrets Controller, secret should be in json format mountedSecret: "" # minimum priority "" < info < warning < critical < error minimumPriority: "" # list of sources which should send to discord sources: [] # Skip already existing PolicyReportResults on startup skipExistingOnStartup: true # filter results send by namespaces, policies and priorities filter: {} # add additional discord channels with different configurations and filters channels: [] teams: # teams webhook address webhook: "" # receive the webhook from an existing secret instead secretRef: "" # Mounted secret path by Secrets Controller, secret should be in json format mountedSecret: "" # path to your custom certificate # can be added under extraVolumes certificate: "" # skip TLS verification if necessary skipTLS: false # minimum priority "" < info < warning < critical < error minimumPriority: "" # list of sources which should send to teams sources: [] # Skip already existing PolicyReportResults on startup skipExistingOnStartup: true # filter results send by namespaces, policies and priorities filter: {} # add additional teams channels with different configurations and filters channels: [] ui: # ui host address host: "" # path to your custom certificate # can be added under extraVolumes certificate: "" # skip TLS verification if necessary skipTLS: false # minimum priority "" < info < warning < critical < error minimumPriority: "warning" # list of sources which should send to the UI Log sources: [] # Skip already existing PolicyReportResults on startup skipExistingOnStartup: true webhook: # webhook host address host: "" # path to your custom certificate # can be added under extraVolumes certificate: "" # skip TLS verification if necessary skipTLS: false # receive the host and/or token from an existing secret, the token is added as Authorization header secretRef: "" # Mounted secret path by Secrets Controller, secret should be in json format mountedSecret: "" # additional http headers headers: {} # minimum priority "" < info < warning < critical < error minimumPriority: "" # list of sources which should send to the UI Log sources: [] # Skip already existing PolicyReportResults on startup skipExistingOnStartup: true # Added as additional properties to each webhook event customFields: {} # filter results send by namespaces, policies and priorities filter: {} # add additional webhook channels with different configurations and filters channels: [] telegram: # telegram bot token token: "" # telegram chat id chatID: "" # optional telegram proxy host host: "" # path to your custom certificate # can be added under extraVolumes certificate: "" # skip TLS verification if necessary skipTLS: false # receive the host and/or token from an existing secret, the token is added as Authorization header secretRef: "" # Mounted secret path by Secrets Controller, secret should be in json format mountedSecret: "" # additional http headers headers: {} # minimum priority "" < info < warning < critical < error minimumPriority: "" # list of sources which should send to telegram sources: [] # Skip already existing PolicyReportResults on startup skipExistingOnStartup: true # Added as additional properties to each notification customFields: {} # filter results send by namespaces, policies and priorities filter: {} # add additional telegram channels with different configurations and filters channels: [] googleChat: # GoogleChat webhook webhook: "" # path to your custom certificate # can be added under extraVolumes certificate: "" # skip TLS verification if necessary skipTLS: false # receive the host and/or token from an existing secret, the token is added as Authorization header secretRef: "" # Mounted secret path by Secrets Controller, secret should be in json format mountedSecret: "" # additional http headers headers: {} # minimum priority "" < info < warning < critical < error minimumPriority: "" # list of sources which should send to telegram sources: [] # Skip already existing PolicyReportResults on startup skipExistingOnStartup: true # Added as additional properties to each notification customFields: {} # filter results send by namespaces, policies and priorities filter: {} # add additional telegram channels with different configurations and filters channels: [] s3: # S3 access key accessKeyID: "" # S3 secret access key secretAccessKey: "" # receive the accessKeyID and/or secretAccessKey from an existing secret instead secretRef: "" # Mounted secret path by Secrets Controller, secret should be in json format mountedSecret: "" # S3 storage region region: "" # S3 storage endpoint endpoint: "" # S3 storage, bucket name bucket: "" # S3 storage to use an S3 Bucket Key for object encryption with SSE-KMS bucketKeyEnabled: false # S3 storage KMS Key ID for object encryption with SSE-KMS kmsKeyId: "" # S3 storage server-side encryption algorithm used when storing this object in Amazon S3, AES256, aws:kms serverSideEncryption: "" # S3 storage, force path style configuration pathStyle: false # name of prefix, keys will have format: s3:////YYYY-MM-DD/YYYY-MM-DDTHH:mm:ss.s+01:00.json prefix: "" # minimum priority "" < info < warning < critical < error minimumPriority: "" # list of sources which should send to S3 sources: [] # Skip already existing PolicyReportResults on startup skipExistingOnStartup: true # Added as additional properties to each s3 event customFields: {} # filter results send by namespaces, policies and priorities filter: {} # add additional s3 channels with different configurations and filters channels: [] kinesis: # AWS access key accessKeyID: "" # AWS secret access key secretAccessKey: "" # receive the accessKeyID and/or secretAccessKey from an existing secret instead secretRef: "" # Mounted secret path by Secrets Controller, secret should be in json format mountedSecret: "" # AWS region region: "" # AWS Kinesis endpoint endpoint: "" # AWS Kinesis stream name streamName: "" # minimum priority "" < info < warning < critical < error minimumPriority: "" # list of sources which should send to S3 sources: [] # Skip already existing PolicyReportResults on startup skipExistingOnStartup: true # Added as additional properties to each kinesis event customFields: {} # filter results send by namespaces, policies and priorities filter: {} # add additional s3 channels with different configurations and filters channels: [] securityHub: # AWS access key accessKeyID: "" # AWS secret access key secretAccessKey: "" # receive the accessKeyID and/or secretAccessKey from an existing secret instead secretRef: "" # Mounted secret path by Secrets Controller, secret should be in json format mountedSecret: "" # AWS region region: "" # AWS SecurityHub endpoint (optional) endpoint: "" # AWS accountID accountID: "" # Used product name, defaults to "Polilcy Reporter" productName: "" # minimum priority "" < info < warning < critical < error minimumPriority: "" # list of sources which should send to S3 sources: [] # Skip already existing PolicyReportResults on startup skipExistingOnStartup: true # Enable cleanup listener for SecurityHub cleanup: false # Delay between AWS GetFindings API calls, to avoid hitting the API RequestLimit delayInSeconds: 2 # Added as additional properties to each securityHub event customFields: {} # filter results send by namespaces, policies and priorities filter: {} # add additional s3 channels with different configurations and filters channels: [] gcs: # GCS (Google Cloud Storage) Service Accout Credentials credentials: "" # receive the credentials from an existing secret instead secretRef: "" # Mounted secret path by Secrets Controller, secret should be in json format mountedSecret: "" # GCS Bucket bucket: "" # minimum priority "" < info < warning < critical < error minimumPriority: "" # list of sources which should send to GCS sources: [] # Skip already existing PolicyReportResults on startup skipExistingOnStartup: true # Added as additional properties to each gcs event customFields: {} # filter results send by namespaces, policies and priorities filter: {} # add additional s3 channels with different configurations and filters channels: [] # required when policy-reporter runs in HA mode and you have targets configured # if no targets are configured, leaderElection is disabled automatically # will be enabled when replicaCount > 1 leaderElection: enabled: false releaseOnCancel: true leaseDuration: 15 renewDeadline: 10 retryPeriod: 2 # use redis as external result cache instead of the in memory cache redis: enabled: false address: "" database: 0 prefix: "policy-reporter" username: "" password: "" # enabled if replicaCount > 1 podDisruptionBudget: # -- Configures the minimum available pods for policy-reporter disruptions. # Cannot be used if `maxUnavailable` is set. minAvailable: 1 # -- Configures the maximum unavailable pods for policy-reporter disruptions. # Cannot be used if `minAvailable` is set. maxUnavailable: # Node labels for pod assignment # ref: https://kubernetes.io/docs/user-guide/node-selection/ nodeSelector: {} # Tolerations for pod assignment # ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ tolerations: [] # Anti-affinity to disallow deploying client and master nodes on the same worker node affinity: {} # Topology Spread Constraints to better spread pods topologySpreadConstraints: [] # livenessProbe for policy-reporter livenessProbe: httpGet: path: /ready port: http # readinessProbe for policy-reporter readinessProbe: httpGet: path: /healthz port: http extraVolumes: volumeMounts: [] volumes: [] # If set the volume for sqlite is freely configurable below "- name: sqlite". If no value is set an emptyDir is used. sqliteVolume: {} # emptyDir: # sizeLimit: 10Mi # If set the volume for /tmp is freely configurable below "- name: tmp". If no value is set an emptyDir is used. tmpVolume: {} # emptyDir: # sizeLimit: 10Mi