261 lines
9.3 KiB
YAML
261 lines
9.3 KiB
YAML
# config -- The [polaris configuration](https://github.com/FairwindsOps/polaris#configuration). If not provided then the [default](https://github.com/FairwindsOps/polaris/blob/master/examples/config.yaml) config from Polaris is used.
|
|
config: null
|
|
|
|
# configUrl -- Use a config from an accessible URL source. NOTE: `config` & `configUrl` are mutually exclusive. Setting `configURL` will take precedence over `config`. Only one may be used.
|
|
# configUrl: https://example.com/config.yaml
|
|
configUrl: null
|
|
|
|
# additionalExemptions -- List of additional exemptions to append to the exemptions given in `config`
|
|
additionalExemptions: null
|
|
|
|
|
|
image:
|
|
# image.repository -- Image repo
|
|
repository: quay.io/fairwinds/polaris
|
|
# image.tag -- The Polaris Image tag to use. Defaults to the Chart's AppVersion
|
|
tag: ""
|
|
# image.pullPolicy -- Image pull policy
|
|
pullPolicy: Always
|
|
# image.pullSecrets -- Image pull secrets
|
|
pullSecrets: []
|
|
|
|
rbac:
|
|
# rbac.enabled -- Whether RBAC resources (ClusterRole, ClusterRolebinding) should be created
|
|
enabled: true
|
|
|
|
serviceAccount:
|
|
# serviceAccount.create -- Specifies whether a service account should be created
|
|
create: true
|
|
# serviceAccount.name -- The name of the service account to use.
|
|
name:
|
|
|
|
# templateOnly -- Outputs Namespace names, used with `helm template`
|
|
templateOnly: false
|
|
|
|
dashboard:
|
|
# dashboard.basePath -- Path on which the dashboard is served. Defaults to `/`
|
|
basePath: null
|
|
# dashboard.enable -- Whether to run the dashboard.
|
|
enable: true
|
|
# dashboard.port -- Port that the dashboard will run from.
|
|
port: 8080
|
|
# dashboard.listeningAddress -- Dashboard listerning address.
|
|
listeningAddress:
|
|
# dashboard.replicas -- Number of replicas to run.
|
|
replicas: 2
|
|
# dashboard.logLevel -- Set the logging level for the Dashboard command
|
|
logLevel: Info
|
|
# dashboard.podAdditionalLabels -- Custom additional labels on dashboard pods.
|
|
podAdditionalLabels: {}
|
|
# dashboard.deploymentAnnotations -- Custom additional annotations on dashboard Deployment.
|
|
deploymentAnnotations: {}
|
|
# dashboard.resources -- Requests and limits for the dashboard
|
|
resources:
|
|
requests:
|
|
cpu: 100m
|
|
memory: 128Mi
|
|
limits:
|
|
cpu: 150m
|
|
memory: 512Mi
|
|
# dashboard.extraContainers -- allows injecting additional containers.
|
|
extraContainers: []
|
|
# extraContainers:
|
|
# - name: oauth-proxy
|
|
# image: quay.io/oauth2-proxy/oauth2-proxy:v7.3.0
|
|
# args:
|
|
# - --upstream=http://127.0.0.1:8080
|
|
# - --http-address=0.0.0.0:8081
|
|
# ports:
|
|
# - containerPort: 8081
|
|
# name: oauth-proxy
|
|
# protocol: TCP
|
|
# resources: {}
|
|
service:
|
|
# dashboard.service.type -- Service Type
|
|
type: ClusterIP
|
|
# dashboard.service.annotations -- Service annotations
|
|
annotations: {}
|
|
# dashboard.service.targetPort -- Service targetport, defaults to dashboard.port
|
|
targetPort:
|
|
# dashboard.service.loadBalancerSourceRanges -- List of allowed CIDR values
|
|
loadBalancerSourceRanges: []
|
|
# dashboard.nodeSelector -- Dashboard pod nodeSelector
|
|
nodeSelector: {}
|
|
# dashboard.tolerations -- Dashboard pod tolerations
|
|
tolerations: []
|
|
# dashboard.affinity -- Dashboard pods affinity
|
|
affinity: {}
|
|
# dashboard.topologySpreadConstraints -- Dashboard pods topologySpreadConstraints
|
|
topologySpreadConstraints:
|
|
- maxSkew: 1
|
|
topologyKey: topology.kubernetes.io/zone
|
|
whenUnsatisfiable: ScheduleAnyway
|
|
labelSelector:
|
|
matchLabels:
|
|
component: dashboard
|
|
- maxSkew: 1
|
|
topologyKey: kubernetes.io/hostname
|
|
whenUnsatisfiable: ScheduleAnyway
|
|
labelSelector:
|
|
matchLabels:
|
|
component: dashboard
|
|
ingress:
|
|
# dashboard.ingress.enabled -- Whether to enable ingress to the dashboard
|
|
enabled: false
|
|
# dashboard.ingress.ingressClassName -- From Kubernetes 1.18+ this field is supported in case your ingress controller supports it. When set, you do not need to add the ingress class as annotation.
|
|
ingressClassName:
|
|
# dashboard.ingress.hosts -- Web ingress hostnames
|
|
hosts: []
|
|
# dashboard.ingress.annotations -- Web ingress annotations
|
|
annotations: {}
|
|
# dashboard.ingress.tls -- Ingress TLS configuration
|
|
tls: []
|
|
# dashboard.ingress.defaultBackendEnabled -- DefaultBackend is required by GKE container native load balancer, set to true for this use case
|
|
defaultBackendEnabled: false
|
|
# dashboard.priorityClassName -- Priority Class name to be used in deployment if provided.
|
|
priorityClassName:
|
|
# dashboard.disallowExemptions -- Disallow any exemption
|
|
disallowExemptions: false
|
|
# dashboard.disallowConfigExemptions -- Disallow exemptions that are configured in the config file
|
|
disallowConfigExemptions: false
|
|
# dashboard.disallowAnnotationExemptions -- Disallow exemptions that are configured via annotations
|
|
disallowAnnotationExemptions: false
|
|
# dashboard.containerSecurityContext -- securityContext to apply to the dashboard container
|
|
containerSecurityContext:
|
|
allowPrivilegeEscalation: false
|
|
privileged: false
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: true
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
pdb:
|
|
# -- If true, enables a PDB for the dashboard
|
|
enable: true
|
|
|
|
webhook:
|
|
# webhook.enable -- Whether to run the webhook
|
|
enable: false
|
|
# webhook.validate -- Enables the Validating Webhook, to reject resources with issues
|
|
validate: true
|
|
# webhook.mutate -- Enables the Mutating Webhook, to modify resources with issues
|
|
mutate: false
|
|
# webhook.replicas -- Number of replicas
|
|
replicas: 2
|
|
# webhook.logLevel -- Set the logging level for the Webhook command
|
|
logLevel: info
|
|
# webhook.nodeSelector -- Webhook pod nodeSelector
|
|
nodeSelector: {}
|
|
# webhook.tolerations -- Webhook pod tolerations
|
|
tolerations: []
|
|
# webhook.affinity -- Webhook pods affinity
|
|
affinity: {}
|
|
# webhook.topologySpreadConstraints -- Webhook pods topologySpreadConstraints
|
|
topologySpreadConstraints:
|
|
- maxSkew: 1
|
|
topologyKey: topology.kubernetes.io/zone
|
|
whenUnsatisfiable: ScheduleAnyway
|
|
labelSelector:
|
|
matchLabels:
|
|
component: webhook
|
|
- maxSkew: 1
|
|
topologyKey: kubernetes.io/hostname
|
|
whenUnsatisfiable: ScheduleAnyway
|
|
labelSelector:
|
|
matchLabels:
|
|
component: webhook
|
|
certManager:
|
|
# -- Allows overriding .Capabilities.APIVersions with a specified version. Useful for GitOps.
|
|
apiVersion: ""
|
|
# webhook.caBundle -- CA Bundle to use for Validating Webhook instead of cert-manager
|
|
caBundle: null
|
|
# webhook.secretName -- Name of the secret containing a TLS certificate to use if cert-manager is not used.
|
|
secretName: null
|
|
# webhook.failurePolicy -- failurePolicy for the ValidatingWebhookConfiguration
|
|
failurePolicy: Fail
|
|
# webhook.matchPolicy -- matchPolicy for the ValidatingWebhookConfiguration
|
|
matchPolicy: Exact
|
|
# webhook.namespaceSelector -- namespaceSelector for the ValidatingWebhookConfiguration
|
|
namespaceSelector:
|
|
matchExpressions:
|
|
- key: control-plane
|
|
operator: DoesNotExist
|
|
# webhook.objectSelector -- objectSelector for the ValidatingWebhookConfiguration
|
|
objectSelector: {}
|
|
# webhook.rules -- An array of additional rules for the ValidatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope.
|
|
rules: []
|
|
# webhook.mutatingRules -- An array of additional rules for the MutatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope.
|
|
mutatingRules: []
|
|
# webhook.defaultRules -- An array of rules for common types for the ValidatingWebhookConfiguration
|
|
defaultRules:
|
|
- apiGroups:
|
|
- apps
|
|
apiVersions:
|
|
- v1
|
|
- v1beta1
|
|
- v1beta2
|
|
operations:
|
|
- CREATE
|
|
- UPDATE
|
|
resources:
|
|
- daemonsets
|
|
- deployments
|
|
- statefulsets
|
|
scope: Namespaced
|
|
- apiGroups:
|
|
- batch
|
|
apiVersions:
|
|
- v1
|
|
- v1beta1
|
|
operations:
|
|
- CREATE
|
|
- UPDATE
|
|
resources:
|
|
- jobs
|
|
- cronjobs
|
|
scope: Namespaced
|
|
- apiGroups:
|
|
- ""
|
|
apiVersions:
|
|
- v1
|
|
operations:
|
|
- CREATE
|
|
- UPDATE
|
|
resources:
|
|
- pods
|
|
- replicationcontrollers
|
|
scope: Namespaced
|
|
# webhook.podAdditionalLabels -- Custom additional labels on webhook pods.
|
|
podAdditionalLabels: {}
|
|
# webhook.deploymentAnnotations -- Custom additional annotations on webhook Deployment.
|
|
deploymentAnnotations: {}
|
|
# webhook.resources -- Requests and limits for the webhook.
|
|
resources:
|
|
requests:
|
|
cpu: 100m
|
|
memory: 128Mi
|
|
limits:
|
|
cpu: 100m
|
|
memory: 128Mi
|
|
# webhook.priorityClassName -- Priority Class name to be used in deployment if provided.
|
|
priorityClassName:
|
|
# webhook.disallowExemptions -- Disallow any exemption
|
|
disallowExemptions: false
|
|
# webhook.disallowConfigExemptions -- Disallow exemptions that are configured in the config file
|
|
disallowConfigExemptions: false
|
|
# webhook.disallowAnnotationExemptions -- Disallow exemptions that are configured via annotations
|
|
disallowAnnotationExemptions: false
|
|
mutatingConfigurationAnnotations: {}
|
|
validatingConfigurationAnnotations: {}
|
|
pdb:
|
|
# -- If true, enables a PDB for the webhook
|
|
enable: true
|
|
|
|
audit:
|
|
# audit.enable -- Runs a one-time audit. This is used internally at Fairwinds, and may not be useful for others.
|
|
enable: false
|
|
# audit.cleanup -- Whether to delete the namespace once the audit is finished.
|
|
cleanup: false
|
|
# audit.outputURL -- A URL which will receive a POST request with audit results.
|
|
outputURL: ""
|