# config -- The [polaris configuration](https://github.com/FairwindsOps/polaris#configuration). If not provided then the [default](https://github.com/FairwindsOps/polaris/blob/master/examples/config.yaml) config from Polaris is used.
config: null
# configUrl -- Use a config from an accessible URL source. NOTE: `config` & `configUrl` are mutually exclusive. Setting `configURL` will take precedence over `config`. Only one may be used.
# configUrl: https://example.com/config.yaml
configUrl: null
# additionalExemptions -- List of additional exemptions to append to the exemptions given in `config`
additionalExemptions: null
image:
# image.repository -- Image repo
repository: quay.io/fairwinds/polaris
# image.tag -- The Polaris Image tag to use. Defaults to the Chart's AppVersion
tag: ""
# image.pullPolicy -- Image pull policy
pullPolicy: Always
# image.pullSecrets -- Image pull secrets
pullSecrets: []
rbac:
# rbac.enabled -- Whether RBAC resources (ClusterRole, ClusterRolebinding) should be created
enabled: true
serviceAccount:
# serviceAccount.create -- Specifies whether a service account should be created
create: true
# serviceAccount.name -- The name of the service account to use.
name:
# templateOnly -- Outputs Namespace names, used with `helm template`
templateOnly: false
dashboard:
# dashboard.basePath -- Path on which the dashboard is served. Defaults to `/`
basePath: null
# dashboard.enable -- Whether to run the dashboard.
enable: true
# dashboard.port -- Port that the dashboard will run from.
port: 8080
# dashboard.listeningAddress -- Dashboard listerning address.
listeningAddress:
# dashboard.replicas -- Number of replicas to run.
replicas: 2
# dashboard.logLevel -- Set the logging level for the Dashboard command
logLevel: Info
# dashboard.podAdditionalLabels -- Custom additional labels on dashboard pods.
podAdditionalLabels: {}
# dashboard.deploymentAnnotations -- Custom additional annotations on dashboard Deployment.
deploymentAnnotations: {}
# dashboard.resources -- Requests and limits for the dashboard
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 150m
memory: 512Mi
# dashboard.extraContainers -- allows injecting additional containers.
extraContainers: []
# extraContainers:
# - name: oauth-proxy
# image: quay.io/oauth2-proxy/oauth2-proxy:v7.3.0
# args:
# - --upstream=http://127.0.0.1:8080
# - --http-address=0.0.0.0:8081
# ports:
# - containerPort: 8081
# name: oauth-proxy
# protocol: TCP
# resources: {}
service:
# dashboard.service.type -- Service Type
type: ClusterIP
# dashboard.service.annotations -- Service annotations
annotations: {}
# dashboard.service.targetPort -- Service targetport, defaults to dashboard.port
targetPort:
# dashboard.service.loadBalancerSourceRanges -- List of allowed CIDR values
loadBalancerSourceRanges: []
# dashboard.nodeSelector -- Dashboard pod nodeSelector
nodeSelector: {}
# dashboard.tolerations -- Dashboard pod tolerations
tolerations: []
# dashboard.affinity -- Dashboard pods affinity
affinity: {}
# dashboard.topologySpreadConstraints -- Dashboard pods topologySpreadConstraints
topologySpreadConstraints:
- maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchLabels:
component: dashboard
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchLabels:
component: dashboard
ingress:
# dashboard.ingress.enabled -- Whether to enable ingress to the dashboard
enabled: false
# dashboard.ingress.ingressClassName -- From Kubernetes 1.18+ this field is supported in case your ingress controller supports it. When set, you do not need to add the ingress class as annotation.
ingressClassName:
# dashboard.ingress.hosts -- Web ingress hostnames
hosts: []
# dashboard.ingress.annotations -- Web ingress annotations
annotations: {}
# dashboard.ingress.tls -- Ingress TLS configuration
tls: []
# dashboard.ingress.defaultBackendEnabled -- DefaultBackend is required by GKE container native load balancer, set to true for this use case
defaultBackendEnabled: false
# dashboard.priorityClassName -- Priority Class name to be used in deployment if provided.
priorityClassName:
# dashboard.disallowExemptions -- Disallow any exemption
disallowExemptions: false
# dashboard.disallowConfigExemptions -- Disallow exemptions that are configured in the config file
disallowConfigExemptions: false
# dashboard.disallowAnnotationExemptions -- Disallow exemptions that are configured via annotations
disallowAnnotationExemptions: false
# dashboard.containerSecurityContext -- securityContext to apply to the dashboard container
containerSecurityContext:
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop:
- ALL
webhook:
# webhook.enable -- Whether to run the webhook
enable: false
# webhook.validate -- Enables the Validating Webhook, to reject resources with issues
validate: true
# webhook.mutate -- Enables the Mutating Webhook, to modify resources with issues
mutate: false
# webhook.replicas -- Number of replicas
replicas: 2
# webhook.logLevel -- Set the logging level for the Webhook command
logLevel: info
# webhook.nodeSelector -- Webhook pod nodeSelector
nodeSelector: {}
# webhook.tolerations -- Webhook pod tolerations
tolerations: []
# webhook.affinity -- Webhook pods affinity
affinity: {}
# webhook.topologySpreadConstraints -- Webhook pods topologySpreadConstraints
topologySpreadConstraints:
- maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchLabels:
component: webhook
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchLabels:
component: webhook
certManager:
# -- Allows overriding .Capabilities.APIVersions with a specified version. Useful for GitOps.
apiVersion: ""
# webhook.caBundle -- CA Bundle to use for Validating Webhook instead of cert-manager
caBundle: null
# webhook.secretName -- Name of the secret containing a TLS certificate to use if cert-manager is not used.
secretName: null
# webhook.failurePolicy -- failurePolicy for the ValidatingWebhookConfiguration
failurePolicy: Fail
# webhook.matchPolicy -- matchPolicy for the ValidatingWebhookConfiguration
matchPolicy: Exact
# webhook.namespaceSelector -- namespaceSelector for the ValidatingWebhookConfiguration
namespaceSelector:
matchExpressions:
- key: control-plane
operator: DoesNotExist
# webhook.objectSelector -- objectSelector for the ValidatingWebhookConfiguration
objectSelector: {}
# webhook.rules -- An array of additional rules for the ValidatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope.
rules: []
# webhook.mutatingRules -- An array of additional rules for the MutatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope.
mutatingRules: []
# webhook.defaultRules -- An array of rules for common types for the ValidatingWebhookConfiguration
defaultRules:
- apiGroups:
- apps
apiVersions:
- v1
- v1beta1
- v1beta2
operations:
- CREATE
- UPDATE
resources:
- daemonsets
- deployments
- statefulsets
scope: Namespaced
- apiGroups:
- batch
apiVersions:
- v1
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- jobs
- cronjobs
scope: Namespaced
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- pods
- replicationcontrollers
scope: Namespaced
# webhook.podAdditionalLabels -- Custom additional labels on webhook pods.
podAdditionalLabels: {}
# webhook.deploymentAnnotations -- Custom additional annotations on webhook Deployment.
deploymentAnnotations: {}
# webhook.resources -- Requests and limits for the webhook.
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 100m
memory: 128Mi
# webhook.priorityClassName -- Priority Class name to be used in deployment if provided.
priorityClassName:
# webhook.disallowExemptions -- Disallow any exemption
disallowExemptions: false
# webhook.disallowConfigExemptions -- Disallow exemptions that are configured in the config file
disallowConfigExemptions: false
# webhook.disallowAnnotationExemptions -- Disallow exemptions that are configured via annotations
disallowAnnotationExemptions: false
mutatingConfigurationAnnotations: {}
validatingConfigurationAnnotations: {}
audit:
# audit.enable -- Runs a one-time audit. This is used internally at Fairwinds, and may not be useful for others.
enable: false
# audit.cleanup -- Whether to delete the namespace once the audit is finished.
cleanup: false
# audit.outputURL -- A URL which will receive a POST request with audit results.
outputURL: ""