# config -- The [polaris configuration](https://github.com/FairwindsOps/polaris#configuration). If not provided then the [default](https://github.com/FairwindsOps/polaris/blob/master/examples/config.yaml) config from Polaris is used. config: null # configUrl -- Use a config from an accessible URL source. NOTE: `config` & `configUrl` are mutually exclusive. Setting `configURL` will take precedence over `config`. Only one may be used. # configUrl: https://example.com/config.yaml configUrl: null # additionalExemptions -- List of additional exemptions to append to the exemptions given in `config` additionalExemptions: null image: # image.repository -- Image repo repository: quay.io/fairwinds/polaris # image.tag -- The Polaris Image tag to use. Defaults to the Chart's AppVersion tag: "" # image.pullPolicy -- Image pull policy pullPolicy: Always # image.pullSecrets -- Image pull secrets pullSecrets: [] rbac: # rbac.enabled -- Whether RBAC resources (ClusterRole, ClusterRolebinding) should be created enabled: true serviceAccount: # serviceAccount.create -- Specifies whether a service account should be created create: true # serviceAccount.name -- The name of the service account to use. name: # templateOnly -- Outputs Namespace names, used with `helm template` templateOnly: false dashboard: # dashboard.basePath -- Path on which the dashboard is served. Defaults to `/` basePath: null # dashboard.enable -- Whether to run the dashboard. enable: true # dashboard.port -- Port that the dashboard will run from. port: 8080 # dashboard.listeningAddress -- Dashboard listerning address. listeningAddress: # dashboard.replicas -- Number of replicas to run. replicas: 2 # dashboard.logLevel -- Set the logging level for the Dashboard command logLevel: Info # dashboard.podAdditionalLabels -- Custom additional labels on dashboard pods. podAdditionalLabels: {} # dashboard.deploymentAnnotations -- Custom additional annotations on dashboard Deployment. deploymentAnnotations: {} # dashboard.resources -- Requests and limits for the dashboard resources: requests: cpu: 100m memory: 128Mi limits: {} # dashboard.extraContainers -- allows injecting additional containers. extraContainers: [] # extraContainers: # - name: oauth-proxy # image: quay.io/oauth2-proxy/oauth2-proxy:v7.3.0 # args: # - --upstream=http://127.0.0.1:8080 # - --http-address=0.0.0.0:8081 # ports: # - containerPort: 8081 # name: oauth-proxy # protocol: TCP # resources: {} service: # dashboard.service.type -- Service Type type: ClusterIP # dashboard.service.annotations -- Service annotations annotations: {} # dashboard.service.targetPort -- Service targetport, defaults to dashboard.port targetPort: # dashboard.service.loadBalancerSourceRanges -- List of allowed CIDR values loadBalancerSourceRanges: [] # dashboard.nodeSelector -- Dashboard pod nodeSelector nodeSelector: {} # dashboard.tolerations -- Dashboard pod tolerations tolerations: [] # dashboard.affinity -- Dashboard pods affinity affinity: {} # dashboard.topologySpreadConstraints -- Dashboard pods topologySpreadConstraints topologySpreadConstraints: - maxSkew: 1 topologyKey: topology.kubernetes.io/zone whenUnsatisfiable: ScheduleAnyway labelSelector: matchLabels: component: dashboard - maxSkew: 1 topologyKey: kubernetes.io/hostname whenUnsatisfiable: ScheduleAnyway labelSelector: matchLabels: component: dashboard ingress: # dashboard.ingress.enabled -- Whether to enable ingress to the dashboard enabled: false # dashboard.ingress.ingressClassName -- From Kubernetes 1.18+ this field is supported in case your ingress controller supports it. When set, you do not need to add the ingress class as annotation. ingressClassName: # dashboard.ingress.hosts -- Web ingress hostnames hosts: [] # dashboard.ingress.annotations -- Web ingress annotations annotations: {} # dashboard.ingress.tls -- Ingress TLS configuration tls: [] # dashboard.ingress.defaultBackendEnabled -- DefaultBackend is required by GKE container native load balancer, set to true for this use case defaultBackendEnabled: false # dashboard.priorityClassName -- Priority Class name to be used in deployment if provided. priorityClassName: # dashboard.disallowExemptions -- Disallow any exemption disallowExemptions: false # dashboard.disallowConfigExemptions -- Disallow exemptions that are configured in the config file disallowConfigExemptions: false # dashboard.disallowAnnotationExemptions -- Disallow exemptions that are configured via annotations disallowAnnotationExemptions: false # dashboard.containerSecurityContext -- securityContext to apply to the dashboard container containerSecurityContext: allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true runAsNonRoot: true capabilities: drop: - ALL pdb: # -- If true, enables a PDB for the dashboard enable: true webhook: # webhook.enable -- Whether to run the webhook enable: false # webhook.validate -- Enables the Validating Webhook, to reject resources with issues validate: true # webhook.mutate -- Enables the Mutating Webhook, to modify resources with issues mutate: false # webhook.replicas -- Number of replicas replicas: 2 # webhook.logLevel -- Set the logging level for the Webhook command logLevel: info # webhook.nodeSelector -- Webhook pod nodeSelector nodeSelector: {} # webhook.tolerations -- Webhook pod tolerations tolerations: [] # webhook.affinity -- Webhook pods affinity affinity: {} # webhook.topologySpreadConstraints -- Webhook pods topologySpreadConstraints topologySpreadConstraints: - maxSkew: 1 topologyKey: topology.kubernetes.io/zone whenUnsatisfiable: ScheduleAnyway labelSelector: matchLabels: component: webhook - maxSkew: 1 topologyKey: kubernetes.io/hostname whenUnsatisfiable: ScheduleAnyway labelSelector: matchLabels: component: webhook certManager: # -- Allows overriding .Capabilities.APIVersions with a specified version. Useful for GitOps. apiVersion: "" # webhook.caBundle -- CA Bundle to use for Validating Webhook instead of cert-manager caBundle: null # webhook.secretName -- Name of the secret containing a TLS certificate to use if cert-manager is not used. secretName: null # webhook.failurePolicy -- failurePolicy for the ValidatingWebhookConfiguration failurePolicy: Fail # webhook.matchPolicy -- matchPolicy for the ValidatingWebhookConfiguration matchPolicy: Exact # webhook.namespaceSelector -- namespaceSelector for the ValidatingWebhookConfiguration namespaceSelector: matchExpressions: - key: control-plane operator: DoesNotExist # webhook.objectSelector -- objectSelector for the ValidatingWebhookConfiguration objectSelector: {} # webhook.rules -- An array of additional rules for the ValidatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. rules: [] # webhook.mutatingRules -- An array of additional rules for the MutatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. mutatingRules: [] # webhook.defaultRules -- An array of rules for common types for the ValidatingWebhookConfiguration defaultRules: - apiGroups: - apps apiVersions: - v1 - v1beta1 - v1beta2 operations: - CREATE - UPDATE resources: - daemonsets - deployments - statefulsets scope: Namespaced - apiGroups: - batch apiVersions: - v1 - v1beta1 operations: - CREATE - UPDATE resources: - jobs - cronjobs scope: Namespaced - apiGroups: - "" apiVersions: - v1 operations: - CREATE - UPDATE resources: - pods - replicationcontrollers scope: Namespaced # webhook.podAdditionalLabels -- Custom additional labels on webhook pods. podAdditionalLabels: {} # webhook.deploymentAnnotations -- Custom additional annotations on webhook Deployment. deploymentAnnotations: {} # webhook.resources -- Requests and limits for the webhook. resources: requests: cpu: 100m memory: 128Mi limits: {} # webhook.priorityClassName -- Priority Class name to be used in deployment if provided. priorityClassName: # webhook.disallowExemptions -- Disallow any exemption disallowExemptions: false # webhook.disallowConfigExemptions -- Disallow exemptions that are configured in the config file disallowConfigExemptions: false # webhook.disallowAnnotationExemptions -- Disallow exemptions that are configured via annotations disallowAnnotationExemptions: false mutatingConfigurationAnnotations: {} validatingConfigurationAnnotations: {} pdb: # -- If true, enables a PDB for the webhook enable: true audit: # audit.enable -- Runs a one-time audit. This is used internally at Fairwinds, and may not be useful for others. enable: false # audit.cleanup -- Whether to delete the namespace once the audit is finished. cleanup: false # audit.outputURL -- A URL which will receive a POST request with audit results. outputURL: ""