-
Notifications
You must be signed in to change notification settings - Fork 76
/
values.yaml
137 lines (115 loc) · 3.66 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
# Default values for portieris.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
replicaCount: 3
# Annotations to add to the Portieris deployment. Optional.
deployemntAnnotations: {}
# secret.reloader.stakater.com/reload: "portieris-certs"
# Annotations to add to the Portieris deployment's pod template. Optional.
podAnnotations: {}
# sidecar.istio.io/inject: "false"
image:
host: icr.io/portieris
pullSecret:
image: portieris
tag: v0.13.9
pullPolicy: Always
service:
type: ClusterIP
port: 443
targetPort: 8000
metricsPort: 8080
securityContext:
runAsUser: 1000060001
webHooks:
failurePolicy: Fail
# Define policySet to install the default policies
# Possible values: IKS | None
PolicySet: None
# If managing portieris-certs secret externally
SkipSecretCreation: false
# If using cert-manager to handle secrets
UseCertManager: false
certManagerIssuer:
skipCreation: false
kind: Issuer
name: portieris
## Use generated certs from values file.
## Ref: https://github.com/IBM/portieris/blob/main/helm/portieris/gencerts
##
UseGeneratedCerts:
enabled: false
tlsCert: |-
tlsKey: |-
caCert: |-
# Resoures defined to assist scheduling
# request is typical x10, limit is typical x100
resources:
limits:
cpu: 400m
memory: 600Mi
requests:
cpu: 40m
memory: 60Mi
nodeSelector: {}
tolerations: []
# Affinity settings
# the `podAntiAffinity` defined here results in the distribution of pods over nodes where possible
# intended to improve availability in the face of node and zone instability, reducing the potential of admission deadlock
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- portieris
topologyKey: "kubernetes.io/hostname"
weight: 50
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- portieris
topologyKey: "failure-domain.beta.kubernetes.io/zone"
weight: 50
# Allow an annotation to be used to skip the webhook. This is required for Portieris to be able to
# self heal when it has no running pods, which could otherwise deadlock your cluster after an
# outage.
# However, if this is enabled, anyone with access to annotate namespaces could bypass Portieris by
# setting the annotation on their namespaces. Therefore, be careful with your RBAC policies if you
# enable this option!
AllowAdmissionSkip: false
ObjectSelectorAdmissionSkip:
# matchLabels:
# app: xxx
# matchExpressions:
# - key: xxxxx.xxxxx/xxx
# operator: NotIn
# values:
# - xxxx
NamespaceSelectorAdmissionSkip:
#- key: kubernetes.io/metadata.name
# operator: NotIn
# values:
# - kube-system
clusterPolicy:
allowedRepositories:
# This permissive policy allows all images in namespaces which do not have an ImagePolicy.
# IMPORTANT: Review this policy and replace it with one that meets your requirements.
- name: "*"
# use hostNetwork for Portieris webhook
useHostNetwork: false
# Set podPriorityClass of the portieris deployment. This will tell kube api to schedule the pods as high priority and stop timing issues where applications try to start before the webhook is available
priorityClass: system-cluster-critical
# Specifying a Disruption Budget for portieris pod
# https://kubernetes.io/docs/tasks/run-application/configure-pdb/
podDisruptionBudget:
enabled: true
minAvailable: 1
# Service selector includes release in addition to app
selectByRelease: true