forked from open-policy-agent/kube-mgmt
-
Notifications
You must be signed in to change notification settings - Fork 0
/
values.yaml
275 lines (235 loc) · 7.74 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
# Default values for opa.
# -----------------------
#
# OPA configuration file. See https://www.openpolicyagent.org/docs/configuration.html for more details.
opa: {}
# Setup the webhook using cert-manager
certManager:
enabled: false
rootCACertificateDuration: 43800h # 5y
servingCertificateDuration: 8760h # 1y
# Expose the prometheus scraping endpoint
prometheus:
enabled: false
port: 8182
## ServiceMonitor consumed by prometheus-operator
serviceMonitor:
## If the operator is installed in your cluster, set to true to create a Service Monitor Entry
enabled: false
interval: "15s"
## Namespace in which the service monitor is created
# namespace: monitoring
# Added to the ServiceMonitor object so that prometheus-operator is able to discover it
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec
additionalLabels: {}
# Annotations in the deployment template
annotations: {}
# Bootstrap policies to load upon startup
# Define policies in the form of:
# <policyName> : |-
# <regoBody>
# For example, to mask the entire input body in the decision logs:
# bootstrapPolicies:
# log: |-
# package system.log
# mask["/input"]
bootstrapPolicies: {}
# Admission controller configuration.
admissionController:
enabled: false
# To enforce mutating policies, change to MutatingWebhookConfiguration.
kind: ValidatingWebhookConfiguration
# To set annotations on all admissionController resources (Secret/Certificate/Issuer/AdmissionController)
# annotations:
# example: value
# To _fail closed_ on failures, change to Fail. During initial testing, we
# recommend leaving the failure policy as Ignore.
failurePolicy: Ignore
# Adds a namespace selector to the admission controller webhook
namespaceSelector:
matchExpressions:
- {key: openpolicyagent.org/webhook, operator: NotIn, values: [ignore]}
# SideEffectClass for the webhook, setting to NoneOnDryRun enables dry-run.
# Only None and NoneOnDryRun are permitted for admissionregistration.k8s.io/v1.
sideEffect: None
# To restrict the kinds of operations and resources that are subject to OPA
# policy checks, see the settings below. By default, all resources and
# operations are subject to OPA policy checks.
rules:
- operations: ["*"]
apiGroups: ["*"]
apiVersions: ["*"]
resources: ["*"]
# The helm Chart will automatically generate a CA and server certificate for
# the OPA. If you want to supply your own certificates, set the field below to
# false and add the PEM encoded CA certificate and server key pair below.
#
# WARNING: The common name name in the server certificate MUST match the
# hostname of the service that exposes the OPA to the apiserver. For example.
# if the service name is created in the "default" nanamespace with name "opa"
# the common name MUST be set to "opa.default.svc".
#
# If the common name is not set correctly, the apiserver will refuse to
# communicate with the OPA.
generateCerts: true
CA: ""
cert: ""
key: ""
# Controls a PodDisruptionBudget for the OPA pod. Suggested use if having opa
# always running for admission control is important
podDisruptionBudget:
enabled: false
minAvailable: 1
# maxUnavailable: 1
authz:
# Disable if you don't want authorization.
# Mostly useful for debugging.
enabled: true
# Used for setting the mgmt token used for authz instead of auto generated default
# mgmtToken:
# secretName: name of the secret
# secretKey: (optional) key from the secret - default value is: "mgmtToken"
# Use hostNetwork setting on OPA pod
hostNetwork:
enabled: false
# Docker image and tag to deploy.
image:
repository: openpolicyagent/opa
tag: 0.48.0
pullPolicy: IfNotPresent
# One or more secrets to be used when pulling images
imagePullSecrets: []
# - registrySecretName
# Should OPA use TLS or not.
useHttps: true
# Port to which the opa pod will bind itself,
port: 8181
extraArgs: []
# Extra environment variables to be loaded into the OPA container
extraEnv: []
mgmt:
enabled: true
image:
repository: openpolicyagent/kube-mgmt
tag: null # appVersion is used by default, set to desired value to override
pullPolicy: IfNotPresent
extraArgs: []
extraEnv: []
resources: {}
namespaces: []
data:
enabled: true
policies:
enabled: true
# NOTE IF you use these, remember to update the RBAC rules below to allow
# permissions to replicate these things
replicate:
cluster: []
# - [group/]version/resource
namespace: []
# - [group/]version/resource
path: kubernetes
# Log level for OPA ('debug', 'info', 'error') (app default=info)
logLevel: info
# Log format for OPA ('text', 'json') (app default=text)
logFormat: json
# Number of OPA replicas to deploy. OPA maintains an eventually consistent
# cache of policies and data. If you want high availability you can deploy two
# or more replicas.
replicas: 1
# To control how the OPA is scheduled on the cluster, set the affinity,
# tolerations and nodeSelector values below. For example, to deploy OPA onto
# the master nodes, 1 replica per node:
#
# affinity:
# podAntiAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# - labelSelector:
# matchExpressions:
# - key: "app"
# operator: In
# values:
# - opa
# topologyKey: "kubernetes.io/hostname"
# tolerations:
# - key: "node-role.kubernetes.io/master"
# effect: NoSchedule
# operator: Exists
# nodeSelector:
# kubernetes.io/role: "master"
affinity: {}
tolerations: []
nodeSelector: {}
# To control the CPU and memory resource limits and requests for OPA, set the
# field below.
resources: {}
rbac:
# should ClusterRole for kube-mgmt be created
create: true
# extra rules to be added to a ClusterRole
extraRules: []
# - apiGroups: [""]
# resources: ["configmaps"]
# verbs: ["*"]
serviceAccount:
# Specifies whether a ServiceAccount should be created
create: true
# The name of the ServiceAccount to use.
# If not set and create is true, a name is generated using the fullname template
name:
# This proxy allows opa to make Kubernetes SubjectAccessReview checks against the
# Kubernetes API. You can get a rego function at github.com/open-policy-agent/library
sar:
enabled: false
image:
repository: lachlanevenson/k8s-kubectl
tag: latest
pullPolicy: IfNotPresent
resources: {}
# Set a priorityClass using priorityClassName
# priorityClassName:
# Timeout for a webhook call in seconds.
# Starting in kubernetes 1.14 you can set the timeout and it is
# encouraged to use a small timeout for webhooks. If the webhook call times out, the request
# the request is handled according to the webhook'sfailure policy.
# timeoutSeconds: 20
securityContext:
enabled: false
runAsNonRoot: true
runAsUser: 1
deploymentStrategy: {}
# rollingUpdate:
# maxSurge: 1
# maxUnavailable: 0
# type: RollingUpdate
extraContainers: []
## Additional containers to be added to the opa pod.
# - name: example-app
# image: example/example-app:latest
# args:
# - "run"
# - "--port=11811"
# - "--config=/etc/example-app-conf/config.yaml"
# - "--opa-endpoint=https://localhost:443"
# ports:
# - name: http
# containerPort: 11811
# protocol: TCP
# volumeMounts:
# - name: example-app-auth-config
# mountPath: /etc/example-app-conf
extraVolumes: []
## Additional volumes to the opa pod.
# - name: example-app-auth-config
# secret:
# secretName: example-app-auth-config
extraVolumeMounts: []
## Mounting config for using the additional volumes
# - name: example-app-auth-config
# mountPath: /mount/path
extraPorts: []
## Additional ports to the opa services. Useful to expose extra container ports.
# - port: 11811
# protocol: TCP
# name: http
# targetPort: http