test-values.yaml

bbtests:
  enabled: true
  scripts:
    envs:
      PACKAGE_LEVEL_TEST: "true"
waitforready:
  imagePullSecrets:
  - name: private-registry
excludeContainers:
  - not-me
  - or-me
exclude:
  any:
  - resources:
      namespaces:
      - kyverno-policies
      names:
      - kyverno-policies-script-test*
policies:
  clone-configs:
    enabled: true
    parameters:
      clone:
      - name: clone-configs-1
        kind: ConfigMap
        namespace: "{{ .Release.Namespace }}"
      - name: clone-configs-2
        kind: Secret
        namespace: "{{ .Release.Namespace }}"
  disallow-annotations:
    enabled: true
    parameters:
      disallow:
      - 'kyverno-policies-bbtest/test: disallowed'
      - kyverno-policies-bbtest/disallowed
  disallow-deprecated-apis:
    enabled: true
  disallow-host-namespaces:
    enabled: true
  disallow-image-tags:
    enabled: true
  disallow-istio-injection-bypass:
    enabled: true
  disallow-labels:
    enabled: true
    parameters:
      disallow:
      - 'kyverno-policies-bbtest/test: disallowed'
      - kyverno-policies-bbtest/disallowed
  disallow-namespaces:
    enabled: true
  disallow-nodeport-services:
    enabled: true
  disallow-pod-exec:
    enabled: false  # No way to test this
  disallow-privilege-escalation:
    enabled: true
  disallow-privileged-containers:
    enabled: true
  disallow-rbac-on-default-serviceaccounts:
    enabled: true
  disallow-tolerations:
    enabled: true
    parameters:
      disallow:
      - effect: NoSchedule
        key: notallowed
        value: 'false'
      - effect: '*NoSchedule'
        key: disa??owed
        value: 'true'
  require-annotations:
    enabled: true
    parameters:
      require:
      - 'kyverno-policies-bbtest/test: required'
      - kyverno-policies-bbtest/required
  require-cpu-limit:
    enabled: true
  require-drop-all-capabilities:
    enabled: true
  require-image-signature:
    enabled: true
    parameters:
      require:
      - imageReferences:
        - "ghcr.io/kyverno/test-verify-image:*"
        attestors:
        - count: 1
          entries:
          - keys:
              publicKeys: |-
                -----BEGIN PUBLIC KEY-----
                MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
                5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
                -----END PUBLIC KEY-----
        mutateDigest: false
        verifyDigest: false
      - imageReferences:
        - "registry1.dso.mil/ironbank/*"
        attestors:
        - count: 1
          entries:
          - keys:
              publicKeys: |-
                -----BEGIN PUBLIC KEY-----
                MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7CjMGH005DFFz6mffqTIGurBt6fL
                UfTZxuEDFRBS8mFJx1xw8DEVvjMibLTtqmAoJxUmzmGFgzz+LV875syVEg==
                -----END PUBLIC KEY-----
        # Ironbank images are rebuilt nightly and tags are not immutable
        mutateDigest: false
        verifyDigest: false
  require-istio-on-namespaces:
    enabled: true
  require-labels:
    enabled: true
    parameters:
      require:
      - 'kyverno-policies-bbtest/test: required'
      - kyverno-policies-bbtest/required
  require-memory-limit:
    enabled: true
  require-non-root-group:
    enabled: true
  require-non-root-user:
    enabled: true
  require-probes:
    enabled: true
  require-requests-equal-limits:
    enabled: true
  require-ro-rootfs:
    enabled: true
  restrict-apparmor:
    enabled: true
  restrict-capabilities:
    enabled: true
  restrict-external-ips:
    enabled: true
    parameters:
      allow:
      - 192.168.0.1
  restrict-external-names:
    enabled: true
    parameters:
      allow:
      - allowed
  restrict-group-id:
    enabled: true
  restrict-host-path-mount:
    enabled: true
    parameters:
      allow:
      - /tmp/allowed
  restrict-host-path-mount-pv:
    enabled: true
    parameters:
      allow:
      - /tmp/allowed
  restrict-host-path-write:
    enabled: true
    parameters:
      allow:
      - /tmp/allowed
  restrict-host-ports:
    enabled: true
    parameters:
      allow:
      - '63999'
      - '>= 64000 & < 65000'
      - '> 65000'
  restrict-image-registries:
    enabled: true
  restrict-proc-mount:
    enabled: true
  restrict-seccomp:
    enabled: true
  restrict-selinux-type:
    enabled: true
  restrict-sysctls:
    enabled: true
  restrict-user-id:
    enabled: true
  restrict-volume-types:
    enabled: true
  update-image-pull-policy:
    enabled: true
    parameters:
      update:
      - to: Always
  update-image-registry:
    enabled: true
    parameters:
      update:
      - from: replace.image.registry
        to: registry1.dso.mil
  update-token-automount:
    enabled: true
  update-automountserviceaccounttokens:
    enabled: true
    namespaces:
      - namespace: update-automountserviceaccounttokens-2
        serviceAccounts:
        - update-token-automount-2