DirectorySecurity AdvisoriesPricing
Sign in
Directory
open-policy-agent-gatekeeper logoHELM

open-policy-agent-gatekeeper

Helm chart
Last changed
Request a free trial

Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.

Overview
Chart versions
Default values
Chart metadata
Images

Tag:
1
replicas: 3
2
revisionHistoryLimit: 10
3
auditInterval: 60
4
metricsBackends: ["prometheus"]
5
auditMatchKindOnly: false
6
constraintViolationsLimit: 20
7
auditFromCache: false
8
disableAudit: false
9
disableMutation: false
10
disableValidatingWebhook: false
11
validatingWebhookName: gatekeeper-validating-webhook-configuration
12
validatingWebhookTimeoutSeconds: 3
13
validatingWebhookFailurePolicy: Ignore
14
validatingWebhookAnnotations: {}
15
validatingWebhookExemptNamespacesLabels: {}
16
validatingWebhookObjectSelector: {}
17
validatingWebhookMatchConditions: []
18
validatingWebhookCheckIgnoreFailurePolicy: Fail
19
validatingWebhookCustomRules: {}
20
validatingWebhookSubResources: ['pods/ephemeralcontainers', 'pods/exec', 'pods/log', 'pods/eviction', 'pods/portforward', 'pods/proxy', 'pods/attach', 'pods/binding', 'pods/resize', 'deployments/scale', 'replicasets/scale', 'statefulsets/scale', 'replicationcontrollers/scale', 'services/proxy', 'nodes/proxy', 'services/status']
21
validatingWebhookURL: null
22
validatingWebhookScope: '*'
23
enableDeleteOperations: false
24
enableConnectOperations: false
25
enableExternalData: true
26
enableGeneratorResourceExpansion: true
27
enableTLSHealthcheck: false
28
maxServingThreads: -1
29
mutatingWebhookName: gatekeeper-mutating-webhook-configuration
30
mutatingWebhookFailurePolicy: Ignore
31
mutatingWebhookReinvocationPolicy: Never
32
mutatingWebhookAnnotations: {}
33
mutatingWebhookExemptNamespacesLabels: {}
34
mutatingWebhookObjectSelector: {}
35
mutatingWebhookMatchConditions: []
36
mutatingWebhookTimeoutSeconds: 1
37
mutatingWebhookCustomRules: {}
38
mutatingWebhookSubResources: ['pods/ephemeralcontainers', 'pods/exec', 'pods/log', 'pods/eviction', 'pods/portforward', 'pods/proxy', 'pods/attach', 'pods/binding', 'deployments/scale', 'replicasets/scale', 'statefulsets/scale', 'replicationcontrollers/scale', 'services/proxy', 'nodes/proxy', 'services/status']
39
mutatingWebhookURL: null
40
mutatingWebhookScope: '*'
41
mutationAnnotations: false
42
auditChunkSize: 500
43
logLevel: INFO
44
logDenies: false
45
logMutations: false
46
admissionEventsInvolvedNamespace: false
47
auditEventsInvolvedNamespace: false
48
resourceQuota: true
49
externaldataProviderResponseCacheTTL: 3m
50
enableK8sNativeValidation: true
51
commonAnnotations: {}
52
extraVolumeMounts: []
53
extraVolumes: []
54
image:
55
repository: chainreg.biz/chainguard-private/gatekeeper
56
crdRepository: chainreg.biz/chainguard-private/gatekeeper-crds
57
release: latest@sha256:2c46d34eb60c04b64994eeb2cc187a4ae5d4882ed2e44972327eb5f24336f684
58
pullPolicy: IfNotPresent
59
pullSecrets: []
60
preInstall:
61
crdRepository:
62
image:
63
repository: chainreg.biz/chainguard-private/gatekeeper-crds
64
tag: latest@sha256:b29180c2350d08d33674d1d0385e8455c9420308742f8d05f6623e1b5c0e9449
65
postUpgrade:
66
labelNamespace:
67
serviceAccount:
68
name: gatekeeper-update-namespace-label-post-upgrade
69
create: true
70
enabled: false
71
image:
72
repository: chainreg.biz/chainguard-private/gatekeeper-crds
73
tag: latest@sha256:b29180c2350d08d33674d1d0385e8455c9420308742f8d05f6623e1b5c0e9449
74
pullPolicy: IfNotPresent
75
pullSecrets: []
76
extraNamespaces: []
77
podSecurity: ["pod-security.kubernetes.io/audit=restricted", "pod-security.kubernetes.io/audit-version=latest", "pod-security.kubernetes.io/warn=restricted", "pod-security.kubernetes.io/warn-version=latest", "pod-security.kubernetes.io/enforce=restricted", "pod-security.kubernetes.io/enforce-version=v1.24"]
78
extraAnnotations: {}
79
priorityClassName: ""
80
affinity: {}
81
tolerations: []
82
nodeSelector: {kubernetes.io/os: linux}
83
resources: {}
84
securityContext:
85
allowPrivilegeEscalation: false
86
capabilities:
87
drop:
88
- ALL
89
readOnlyRootFilesystem: true
90
runAsGroup: 999
91
runAsNonRoot: true
92
runAsUser: 1000
93
postInstall:
94
labelNamespace:
95
serviceAccount:
96
name: gatekeeper-update-namespace-label
97
create: true
98
enabled: true
99
extraRules: []
100
image:
101
repository: chainreg.biz/chainguard-private/gatekeeper-crds
102
tag: latest@sha256:b29180c2350d08d33674d1d0385e8455c9420308742f8d05f6623e1b5c0e9449
103
pullPolicy: IfNotPresent
104
pullSecrets: []
105
extraNamespaces: []
106
podSecurity: ["pod-security.kubernetes.io/audit=restricted", "pod-security.kubernetes.io/audit-version=latest", "pod-security.kubernetes.io/warn=restricted", "pod-security.kubernetes.io/warn-version=latest", "pod-security.kubernetes.io/enforce=restricted", "pod-security.kubernetes.io/enforce-version=v1.24"]
107
extraAnnotations: {}
108
priorityClassName: ""
109
probeWebhook:
110
enabled: true
111
image:
112
repository: chainreg.biz/chainguard-private/curl
113
tag: latest@sha256:1e6c47ebb394b4ef0b21044516909679aabfe03b80c1164b19835e177b20f474
114
pullPolicy: IfNotPresent
115
pullSecrets: []
116
waitTimeout: 60
117
httpTimeout: 2
118
insecureHTTPS: false
119
priorityClassName: ""
120
affinity: {}
121
tolerations: []
122
nodeSelector: {kubernetes.io/os: linux}
123
securityContext:
124
allowPrivilegeEscalation: false
125
capabilities:
126
drop:
127
- ALL
128
readOnlyRootFilesystem: true
129
runAsGroup: 999
130
runAsNonRoot: true
131
runAsUser: 1000
132
preUninstall:
133
deleteWebhookConfigurations:
134
serviceAccount:
135
name: gatekeeper-delete-webhook-configs
136
create: true
137
extraRules: []
138
enabled: false
139
image:
140
repository: chainreg.biz/chainguard-private/gatekeeper-crds
141
tag: latest@sha256:b29180c2350d08d33674d1d0385e8455c9420308742f8d05f6623e1b5c0e9449
142
pullPolicy: IfNotPresent
143
pullSecrets: []
144
priorityClassName: ""
145
affinity: {}
146
tolerations: []
147
nodeSelector: {kubernetes.io/os: linux}
148
resources: {}
149
securityContext:
150
allowPrivilegeEscalation: false
151
capabilities:
152
drop:
153
- ALL
154
readOnlyRootFilesystem: true
155
runAsGroup: 999
156
runAsNonRoot: true
157
runAsUser: 1000
158
podAnnotations: {}
159
auditPodAnnotations: {}
160
podLabels: {}
161
podCountLimit: "100"
162
secretAnnotations: {}
163
enableRuntimeDefaultSeccompProfile: true
164
controllerManager:
165
serviceAccount:
166
name: gatekeeper-admin
167
automountServiceAccountToken: true
168
containerName: manager
169
exemptNamespaces: []
170
exemptNamespacePrefixes: []
171
hostNetwork: false
172
dnsPolicy: ClusterFirst
173
port: 8443
174
metricsPort: 8888
175
healthPort: 9090
176
readinessTimeout: 1
177
livenessTimeout: 1
178
priorityClassName: system-cluster-critical
179
disableCertRotation: false
180
tlsMinVersion: 1.3
181
clientCertName: ""
182
strategyType: RollingUpdate
183
strategyRollingUpdate: {}
184
podLabels: {}
185
affinity:
186
podAntiAffinity:
187
preferredDuringSchedulingIgnoredDuringExecution:
188
- podAffinityTerm:
189
labelSelector:
190
matchExpressions:
191
- key: gatekeeper.sh/operation
192
operator: In
193
values:
194
- webhook
195
topologyKey: kubernetes.io/hostname
196
weight: 100
197
topologySpreadConstraints: []
198
tolerations: []
199
nodeSelector: {kubernetes.io/os: linux}
200
resources:
201
limits:
202
memory: 512Mi
203
requests:
204
cpu: 100m
205
memory: 512Mi
206
securityContext:
207
allowPrivilegeEscalation: false
208
capabilities:
209
drop:
210
- ALL
211
readOnlyRootFilesystem: true
212
runAsGroup: 999
213
runAsNonRoot: true
214
runAsUser: 1000
215
podSecurityContext:
216
fsGroup: 999
217
supplementalGroups:
218
- 999
219
extraRules: []
220
networkPolicy:
221
enabled: false
222
ingress: []
223
# - from:
224
# - ipBlock:
225
# cidr: 0.0.0.0/0
226
disableWebhookOperation: false
227
disableGenerateOperation: true
228
exportBackend: ""
229
audit:
230
exportConnection:
231
path: /tmp/violations/topics
232
maxAuditResults: 3
233
exportVolumeMount:
234
path: /tmp/violations
235
exportVolume:
236
name: tmp-violations
237
emptyDir: {}
238
exportSidecar:
239
name: reader
240
image: chainreg.biz/chainguard-private/gatekeeper:latest@sha256:2c46d34eb60c04b64994eeb2cc187a4ae5d4882ed2e44972327eb5f24336f684
241
imagePullPolicy: Always
242
securityContext:
243
allowPrivilegeEscalation: false
244
capabilities:
245
drop:
246
- ALL
247
readOnlyRootFilesystem: true
248
runAsGroup: 999
249
runAsNonRoot: true
250
runAsUser: 1000
251
seccompProfile:
252
type: RuntimeDefault
253
volumeMounts:
254
- mountPath: /tmp/violations
255
name: tmp-violations
256
serviceAccount:
257
name: gatekeeper-admin
258
automountServiceAccountToken: true
259
containerName: manager
260
hostNetwork: false
261
dnsPolicy: ClusterFirst
262
metricsPort: 8888
263
healthPort: 9090
264
readinessTimeout: 1
265
livenessTimeout: 1
266
priorityClassName: system-cluster-critical
267
disableCertRotation: false
268
podLabels: {}
269
affinity: {}
270
tolerations: []
271
nodeSelector: {kubernetes.io/os: linux}
272
resources:
273
limits:
274
memory: 512Mi
275
requests:
276
cpu: 100m
277
memory: 512Mi
278
securityContext:
279
allowPrivilegeEscalation: false
280
capabilities:
281
drop:
282
- ALL
283
readOnlyRootFilesystem: true
284
runAsGroup: 999
285
runAsNonRoot: true
286
runAsUser: 1000
287
podSecurityContext:
288
fsGroup: 999
289
supplementalGroups:
290
- 999
291
writeToRAMDisk: false
292
extraRules: []
293
disableGenerateOperation: false
294
disableAuditOperation: false
295
disableStatusOperation: false
296
crds:
297
affinity: {}
298
tolerations: []
299
nodeSelector: {kubernetes.io/os: linux}
300
resources: {}
301
securityContext:
302
allowPrivilegeEscalation: false
303
capabilities:
304
drop:
305
- ALL
306
readOnlyRootFilesystem: true
307
runAsGroup: 65532
308
runAsNonRoot: true
309
runAsUser: 65532
310
pdb:
311
controllerManager:
312
minAvailable: 1
313
service: {}
314
disabledBuiltins: ["{http.send}"]
315
upgradeCRDs:
316
serviceAccount:
317
create: true
318
name: gatekeeper-admin-upgrade-crds
319
enabled: true
320
extraRules: []
321
priorityClassName: ""
322
rbac:
323
create: true
324
externalCertInjection:
325
enabled: false
326
secretName: gatekeeper-webhook-server-cert
327
serviceAccount:
328
gatekeeperAdmin:
329
create: true
330

The trusted source for open source

Talk to an expert
PrivacyTerms

Product

Chainguard ContainersChainguard LibrariesChainguard VMsChainguard OS PackagesChainguard ActionsChainguard Agent SkillsIntegrationsPricing

Solutions

FedRAMPPCI DSSCMMC 2.0SOC 2Golden ImagesCVE RemediationPublic SectorStartups

Customers

Customer StoriesChainguard Reviews

Resources

Events & WebinarsSupply Chain Security 101Chainguard CoursesDocumentationTrust CenterChainguard Slack Community

Company

About UsBlogOpen Source LeadershipPartnersNewsroomCareersLegal
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.