k8s-agents-operator
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
# Default values for k8s-agents-operator.
2
# This is a YAML-formatted file.
3
# Declare variables to be passed into your templates.
4
5
# -- This set this license key to use. Can be configured also with `global.licenseKey`
6
licenseKey: ""
7
# -- Additional labels for chart pods
8
podLabels: {}
9
# -- Additional labels for chart objects
10
labels: {}
11
# -- Annotations to be added to the deployment.
12
podAnnotations: {}
13
# -- Sets pod's priorityClassName. Can be configured also with `global.priorityClassName`
14
priorityClassName: ""
15
# -- Sets pod's dnsConfig. Can be configured also with `global.dnsConfig`
16
dnsConfig: {}
17
# -- Image pull secrets. Can be configured also with `global.images.pullSecrets`
18
imagePullSecrets: []
19
# -- HTTP/HTTPS proxy URL for Kubernetes API calls. Can be configured also with `global.proxy`
20
proxy: ""
21
# -- Sets all pods' node selector. Can be configured also with `global.nodeSelector`
22
nodeSelector: {}
23
# -- Sets all pods' tolerations to node taints. Can be configured also with `global.tolerations`
24
tolerations: []
25
# -- Sets all pods' affinities. Can be configured also with `global.affinity`
26
affinity: {}
27
# -- Sets all security contexts (at pod level).
28
# -- Source: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
29
# -- SecurityContext holds pod-level security attributes and common container settings
30
podSecurityContext:
31
# runAsGroup: 65532
32
runAsNonRoot: true
33
# runAsUser: 65532
34
# fsGroup: 65532
35
# -- Sets all security context (at container level). Can be configured also with `global.securityContext.container`
36
containerSecurityContext: {}
37
# If hostNetwork is set to true, the webhook server will bind to the host network.
38
# Can be configured also with `global.hostNetwork`
39
# @default -- `false`
40
hostNetwork:
41
kubernetesClusterDomain: cluster.local
42
crds:
43
enabled: true
44
controllerManager:
45
replicas: 1
46
manager:
47
# -- Enable or disable verbose (debug) logging -- #
48
# -- This setting takes precedence over global.verboseLog
49
# -- Set to true to enable debug logging, false to use logLevel, or leave unset to use global.verboseLog
50
# -- Precedence (highest to lowest):
51
# -- 1. controllerManager.manager.verboseLog (local override, highest)
52
# -- 2. global.verboseLog (global setting)
53
# -- 3. controllerManager.manager.logLevel (local setting)
54
# -- 4. Default "info" (lowest)
55
# -- Enable or disable verbose (debug) logging
56
verboseLog:
57
# -- Log level for the manager -- #
58
# -- Possible values: debug, info, warn, error
59
# -- Used when verboseLog is false or unset AND global.verboseLog is not set
60
# -- Default: info
61
# -- Log level for the manager
62
logLevel: info
63
image:
64
# -- Sets the repository and image to use for the manager. Please ensure you're using trusted New Relic images.
65
repository: chainguard-private/k8s-agents-operator
66
# -- Sets the manager image version to retrieve. Could be a tag i.e. "v0.17.0" or a SHA digest i.e. "sha256:e2399e70e99ac370ca6a3c7e5affa9655da3b246d0ada77c40ed155b3726ee2e"
67
version: latest@sha256:354f32eb421141460b36c5ed403a8a490142419ce5ba020dbe59dc40dc942ad1
68
# -- Sets the image pull policy for the manager container. Can be configured also with `global.images.pullPolicy`
69
pullPolicy:
70
registry: chainreg.biz
71
resources:
72
limits:
73
cpu: 500m
74
memory: 192Mi
75
requests:
76
cpu: 100m
77
memory: 64Mi
78
# -- Sets security context (at container level) for the manager container. -- #
79
# -- Precedence (highest to lowest):
80
# -- 1. controllerManager.manager.containerSecurityContext (component-specific, highest)
81
# -- 2. containerSecurityContext (chart-local value)
82
# -- 3. global.containerSecurityContext (global value)
83
# -- 4. Secure defaults: allowPrivilegeEscalation=false, capabilities.drop=[ALL] (lowest)
84
# -- Values are merged, with higher precedence values overriding lower precedence values.
85
# -- To override defaults, set this value explicitly (e.g., allowPrivilegeEscalation: true)
86
# -- Sets security context (at container level) for the manager container. Overrides `containerSecurityContext` and `global.containerSecurityContext` (Type: object)
87
containerSecurityContext:
88
# -- Source: https://docs.openshift.com/container-platform/4.10/operators/operator_sdk/osdk-leader-election.html
89
# -- Enable leader election mechanism for protecting against split brain if multiple operator pods/replicas are started
90
leaderElection:
91
enabled: true
92
# -- Settings controlling ServiceAccount creation
93
# @default -- See `values.yaml`
94
serviceAccount:
95
# serviceAccount.create -- (bool) Specifies whether a ServiceAccount should be created
96
# @default -- `true`
97
create:
98
# If not set and create is true, a name is generated using the fullname template
99
name: ""
100
# Specify any annotations to add to the ServiceAccount
101
annotations:
102
# -- healthprobe settings
103
# -- healthprobe is a simple HTTP server that listens on the specified port and responds with 200 OK
104
# -- when the operator is healthy. It is used by Kubernetes to check the health of the operator.
105
healthProbe:
106
port: 8081
107
metricsService:
108
ports:
109
- name: https
110
port: 8443
111
protocol: TCP
112
targetPort: 8443
113
type: ClusterIP
114
webhookService:
115
ports:
116
- port: 443
117
protocol: TCP
118
targetPort: 9443
119
type: ClusterIP
120
# -- Admission webhooks make sure only requests with correctly formatted rules will get into the Operator
121
admissionWebhooks:
122
create: true
123
# -- Namespaces to exclude from pod mutation. The webhook will not be invoked for pods created in
124
# -- these namespaces. Defaults to well-known Kubernetes system namespaces. To allow instrumenting
125
# -- a system namespace, remove it from this list.
126
ignoreNamespaces:
127
- kube-system
128
- kube-public
129
- kube-node-lease
130
## TLS Certificate Option 1: Use Helm to automatically generate self-signed certificate.
131
## certManager must be disabled and autoGenerateCert must be enabled.
132
autoGenerateCert:
133
# -- If true and certManager.enabled is false, Helm will automatically create a self-signed cert and secret for you.
134
enabled: true
135
# -- If set to true, new webhook key/certificate is generated on helm upgrade.
136
recreate: true
137
# -- Cert validity period time in days.
138
certPeriodDays: 365
139
## TLS Certificate Option 2: Use certManager to generate self-signed certificate.
140
certManager:
141
# -- If true and autoGenerateCert.enabled is false, cert-manager will create a self-signed cert and secret for you.
142
enabled: false
143
## TLS Certificate Option 3: Use your own self-signed certificate.
144
## certManager and autoGenerateCert must be disabled and certFile, keyFile, and caFile must be set.
145
## The chart reads the contents of the file paths with the helm .Files.Get function.
146
## Refer to this doc https://helm.sh/docs/chart_template_guide/accessing_files/ to understand
147
## limitations of file paths accessible to the chart.
148
# -- Path to your own PEM-encoded certificate.
149
certFile: ""
150
# -- Path to your own PEM-encoded private key.
151
keyFile: ""
152
# -- Path to the CA cert.
153
caFile: ""
154
## Webhook Configuration
155
# The MutatingWebhookConfiguration contains 4 webhooks:
156
# 1. Instrumentation v1beta2 webhook (mutates instrumentations.newrelic.com/v1beta2)
157
# 2. Instrumentation v1beta1 webhook (mutates instrumentations.newrelic.com/v1beta1)
158
# 3. Instrumentation v1alpha2 webhook (mutates instrumentations.newrelic.com/v1alpha2)
159
# 4. Pod mutation webhook (mutates pods/v1)
160
161
# -- Failure policy for Instrumentation webhooks (v1alpha2, v1beta1, v1beta2).
162
# Valid values: Fail, Ignore. Default: Fail.
163
# Fail: Rejects CREATE/UPDATE operations on Instrumentation resources if the webhook is unavailable,
164
# ensuring strict validation and enforcement of instrumentation configuration.
165
# Ignore: Allows operations to proceed even if the webhook is unavailable, providing resilience
166
# but potentially allowing misconfigured Instrumentation resources.
167
failurePolicy: Fail
168
# -- Failure policy for Pod mutation webhook.
169
# Valid values: Fail, Ignore. Default: Ignore.
170
# Fail: Rejects pod creation if the webhook is unavailable, ensuring all pods are properly instrumented
171
# but potentially blocking pod deployments if the operator is down.
172
# Ignore: Allows pod creation to proceed even if the webhook is unavailable (default behavior),
173
# providing resilience and preventing the operator from blocking critical workloads.
174
# Note: This is intentionally separate from failurePolicy to allow different behavior for pod mutations.
175
podFailurePolicy: Ignore
176
# -- Timeout in seconds for all webhook calls (applies to all 4 webhooks).
177
# If not set, defaults to Kubernetes API server default (typically 10s).
178
# Valid range: 1-30 seconds.
179
# Increase this value if you experience timeout issues due to network latency or slow webhook responses.
180
# Example: Set to 15 for environments with high network latency.
181
timeoutSeconds: null
182
The trusted source for open source
Talk to an expertProduct
Customers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.