Product Docs
- Overview
- FAQs
- Verifying Images
- How to Use
- Going Distroless
- etcd-fips
- rstudio
- thanos-fips
- velero-restore-helper-fips
- flux-reflector-controller
- metallb-controller-fips
- metallb-speaker-fips
- trust-manager-fips
- velero-restore-helper
- dragonfly
- kyverno-background-controller-fips
- kyverno-cleanup-controller-fips
- kyverno-cli-fips
- kyverno-pre-fips
- kyverno-reports-controller-fips
- nfs-subdir-external-provisioner-fips
- velero-fips
- confluent-kafka
- kubectl-fips
- metallb-controller
- metallb-speaker
- prometheus-blackbox-exporter
- cadvisor-fips
- velero
- coredns-fips
- haproxy-fips
- kyverno-fips
- kyverno-fips-background-controller
- kyverno-fips-cleanup-controller
- kyverno-fips-cli
- kyverno-fips-reports-controller
- kyverno-fipspre
- thanos-operator-fips
- erlang-fips
- min-toolkit-debug
- jellyfin
- aspnet-runtime-fips
- caddy-fips
- helm-fips
- chromium
- conda-fips
- dotnet-runtime-fips
- dotnet-sdk-fips
- az-fips
- helm-operator-fips
- kube-bench-fips
- grafana-agent-operator
- gptscript
- pgbouncer-fips
- argo-cli-fips
- argo-exec-fips
- argo-workflowcontroller-fips
- boring-registry-fips
- doppler-kubernetes-operator
- go-ipfs
- helm-operator
- argocd-fips-repo-server
- atlantis-fips
- aws-cli-fips
- aws-ebs-csi-driver-fips
- aws-load-balancer-controller-fips
- aws-volume-modifier-for-k8s-fips
- az
- azure-aad-pod-identity-mic
- azure-aad-pod-identity-nmi
- bank-vaults-fips
- buildkit
- bun
- busybox-fips
- calico-calicoctl
- calico-calicoctl-fips
- calico-cni-fips
- calico-csi-fips
- calico-kube-controllers-fips
- calico-node-driver-registrar-fips
- calico-node-fips
- calico-pod2daemon-flexvol-fips
- calico-typha-fips
- cass-config-builder
- cass-operator
- cass-operator-fips
- cassandra-medusa
- cassandra-medusa-fips
- cassandra-reaper
- cert-exporter
- cert-exporter-fips
- cert-manager-acmesolver-fips
- cert-manager-cainjector-fips
- cert-manager-cmctl
- cert-manager-cmctl-fips
- cert-manager-controller-fips
- cert-manager-webhook-fips
- chainguard-base
- chainguard-base-fips
- cilium-agent-fips
- cilium-hubble-relay-fips
- cilium-hubble-ui-backend-fips
- cilium-hubble-ui-fips
- cilium-operator-generic-fips
- configmap-reload-fips
- configurable-http-proxy-fips
- cosign-fips
- ctlog-trillian-ctserver-fips
- datadog-agent
- datadog-agent-fips
- dex-fips
- dex-k8s-authenticator
- dreamfactory
- eks-distro-coredns
- eks-distro-kubernetes-csi-external-attacher
- eks-distro-kubernetes-csi-external-provisioner
- eks-distro-kubernetes-csi-external-resizer
- eks-distro-kubernetes-csi-external-snapshot-controller
- eks-distro-kubernetes-csi-external-snapshot-validation-webhook
- eks-distro-kubernetes-csi-external-snapshotter
- eks-distro-kubernetes-csi-livenessprobe
- eks-distro-kubernetes-csi-node-driver-registrar
- elasticsearch
- envoy-fips
- envoy-ratelimit-fips
- erlang
- external-dns-fips
- external-secrets-fips
- falco-no-driver
- falco-no-driver-fips
- falcoctl-fips
- falcosidekick
- falcosidekick-fips
- filebeat
- filebeat-fips
- fluent-bit-fips
- fluentd-fips
- fulcio-fips
- gatekeeper-fips
- glibc-openssl
- glibc-openssl-fips
- go-fips
- gpu-operator
- grafana
- grafana-operator-fips-bitnami
- hubble-ui
- hubble-ui-backend
- hubble-ui-backend-fips
- hubble-ui-fips
- ingress-nginx-controller-fips
- istio-install-cni-fips
- istio-operator-fips
- istio-pilot-fips
- istio-proxy-fips
- jdk-fips
- jre-fips
- jupyterhub-k8s-hub-fips
- k8ssandra-operator
- k8ssandra-operator-fips
- k8ssandra-system-logger-fips
- keycloak-fips
- kiam
- kots
- kube-oidc-proxy
- kube-rbac-proxy-fips
- kube-state-metrics-fips
- kubeflow-centraldashboard
- kubeflow-pipelines
- kubeflow-pipelines-metadata-envoy
- kubeflow-pipelines-visualization-server
- kubernetes-csi-external-attacher-fips
- kubernetes-csi-external-resizer-fips
- kubernetes-csi-external-snapshotter-snaphot-validation-webhook
- kubernetes-csi-livenessprobe-fips
- kubernetes-csi-node-driver-registrar-fips
- kubernetes-dashboard-fips
- kubernetes-dashboard-metrics-scraper
- kubernetes-event-exporter-bitnami
- kyvernopre
- logstash-oss-with-opensearch-output-plugin
- management-api-for-apache-cassandra
- memcached-bitnami
- metrics-server-fips
- ml-metadata-store-server
- mongodb
- mongodb-bitnami
- mongodb-fips
- mysql
- newrelic-infrastructure-k8s
- node-fips
- opensearch-dashboards
- opensearch-dashboards-fips
- php-fpm_exporter
- postgres-bitnami
- postgres-bitnami-fips
- postgres-helm-compat
- prometheus-adapter-fips
- prometheus-alertmanager-fips
- prometheus-beat-exporter-fips
- prometheus-bitnami
- prometheus-config-reloader-fips
- prometheus-elasticsearch-exporter-bitnami
- prometheus-elasticsearch-exporter-fips
- prometheus-fips
- prometheus-logstash-exporter
- prometheus-logstash-exporter-fips
- prometheus-mongodb-exporter-bitnami
- prometheus-mongodb-exporter-fips
- prometheus-node-exporter-bitnami
- prometheus-node-exporter-fips
- prometheus-operator-fips
- prometheus-postgres-exporter-bitnami
- prometheus-postgres-exporter-fips
- prometheus-pushgateway-exporter
- prometheus-pushgateway-exporter-bitnami
- prometheus-pushgateway-fips
- prometheus-redis-exporter-fips
- prometheus-statsd-exporter-fips
- pulumi-kubernetes-operator
- python-fips
- rabbitmq-fips
- redis-fips
- rekor-backfill-redis-fips
- rekor-cli-fips
- rekor-server-fips
- renovate
- sigstore-scaffolding-cloudsqlproxy-fips
- sigstore-scaffolding-ctlog-createctconfig-fips
- sigstore-scaffolding-ctlog-managectroots-fips
- sigstore-scaffolding-ctlog-verifyfulcio-fips
- sigstore-scaffolding-fulcio-createcerts-fips
- sigstore-scaffolding-getoidctoken-fips
- sigstore-scaffolding-rekor-createsecret-fips
- sigstore-scaffolding-trillian-createdb-fips
- sigstore-scaffolding-trillian-createtree-fips
- sigstore-scaffolding-trillian-updatetree-fips
- sigstore-scaffolding-tsa-createcertchain-fips
- sigstore-scaffolding-tuf-createsecret-fips
- sigstore-scaffolding-tuf-server-fips
- smarter-device-manager-fips
- spark-bitnami
- spire-agent-fips
- spire-oidc-discovery-provider-fips
- spire-server-fips
- sqlpad
- sqlpad-fips
- statsd
- temporal-admin-tools
- temporal-admin-tools-fips
- temporal-server
- temporal-server-fips
- temporal-ui-server-fips
- tigera-operator-fips
- traefik-fips
- trillian-logserver-fips
- trillian-logsigner-fips
- vault-fips
- vault-k8s-fips
- wavefront-collector-for-kubernetes
- zookeeper-bitnami
- apko
- argo-cli
- argo-exec
- argo-workflowcontroller
- argocd
- argocd-fips
- argocd-repo-server
- aspnet-runtime
- atlantis
- aws-cli
- aws-ebs-csi-driver
- aws-efs-csi-driver
- aws-for-fluent-bit
- aws-load-balancer-controller
- bank-vaults
- bash
- bazel
- boring-registry
- buck2
- busybox
- caddy
- cadvisor
- calico
- calico-cni
- calico-csi
- calico-kube-controllers
- calico-node
- calico-node-driver-registrar
- calico-pod2daemon
- calico-pod2daemon-flexvol
- calico-typha
- calicoctl
- cassandra
- cc-dynamic
- cedar
- cert-manager-acmesolver
- cert-manager-cainjector
- cert-manager-controller
- cert-manager-webhook
- cfssl
- cilium-agent
- cilium-hubble-relay
- cilium-hubble-ui
- cilium-hubble-ui-backend
- cilium-operator-generic
- clang
- clickhouse
- cluster-autoscaler
- cluster-autoscaler-fips
- cluster-proportional-autoscaler
- conda
- configmap-reload
- consul
- consul-fips
- coredns
- cosign
- crane
- crossplane
- crossplane-aws
- crossplane-aws-cloudfront
- crossplane-aws-cloudwatchlogs
- crossplane-aws-dynamodb
- crossplane-aws-ec2
- crossplane-aws-eks
- crossplane-aws-firehose
- crossplane-aws-iam
- crossplane-aws-kms
- crossplane-aws-lambda
- crossplane-aws-rds
- crossplane-aws-s3
- crossplane-aws-sns
- crossplane-aws-sqs
- crossplane-azure
- crossplane-azure-authorization
- crossplane-azure-managedidentity
- crossplane-azure-sql
- crossplane-azure-storage
- crossplane-xfn
- ctlog-trillian-ctserver
- curl
- dask-gateway
- dask-gateway-dask-gateway
- dask-gateway-dask-gateway-server
- dask-gateway-server
- deno
- dependency-track
- dex
- dive
- docker-selenium
- dotnet-runtime
- dotnet-sdk
- dynamic-localpv-provisioner
- envoy
- envoy-ratelimit
- etcd
- external-dns
- external-secrets
- falcoctl
- ffmpeg
- fluent-bit
- fluentd
- flux
- flux-helm-controller
- flux-image-automation-controller
- flux-image-reflector-controller
- flux-kustomize-controller
- flux-notification-controller
- flux-source-controller
- fulcio
- gatekeeper
- gcc-glibc
- git
- gitlab-exporter
- gitlab-kas
- gitlab-pages
- gitlab-shell
- gitness
- glibc-dynamic
- go
- go-ipfs-fips
- google-cloud-sdk
- gotenberg
- graalvm-native
- gradle
- grype
- guacamole-server
- haproxy
- haproxy-ingress
- helm
- helm-chartmuseum
- helm-controller
- http-echo
- hugo
- influxdb
- ingress-nginx-controller
- ip-masq-agent
- istio-install-cni
- istio-operator
- istio-pilot
- istio-proxy
- jdk
- jdk-lts
- jenkins
- jre
- jre-lts
- k3s
- k3s-allinone
- k3s-embedded
- k8s-sidecar
- k8s-sidecar-fips
- k8sgpt
- k8sgpt-operator
- kafka
- karpenter
- keda
- keda-adapter
- keda-adapter-fips
- keda-admission-webhooks
- keda-admission-webhooks-fips
- keda-fips
- keycloak
- ko
- kor
- kube-bench
- kube-downscaler
- kube-fluentd-operator
- kube-logging-operator
- kube-logging-operator-fluentd
- kube-state-metrics
- kubectl
- kubeflow-jupyter-web-app
- kubeflow-katib-controller
- kubeflow-katib-db-manager
- kubeflow-katib-earlystopping-medianstop
- kubeflow-katib-file-metrics-collector
- kubeflow-katib-suggestion-darts
- kubeflow-katib-suggestion-goptuna
- kubeflow-katib-suggestion-hyperband
- kubeflow-katib-suggestion-hyperopt
- kubeflow-katib-suggestion-optuna
- kubeflow-katib-suggestion-pbt
- kubeflow-katib-suggestion-skopt
- kubeflow-pipelines-api-server
- kubeflow-pipelines-cache-deployer
- kubeflow-pipelines-cache-server
- kubeflow-pipelines-frontend
- kubeflow-pipelines-metadata-writer
- kubeflow-pipelines-persistenceagent
- kubeflow-pipelines-scheduledworkflow
- kubeflow-pipelines-viewer-crd-controller
- kubeflow-volumes-web-app
- kuberay-operator
- kubernetes-csi-external-attacher
- kubernetes-csi-external-provisioner
- kubernetes-csi-external-resizer
- kubernetes-csi-external-snapshot-controller
- kubernetes-csi-external-snapshot-validation-webhook
- kubernetes-csi-external-snapshotter
- kubernetes-csi-livenessprobe
- kubernetes-csi-node-driver-registrar
- kubernetes-dashboard
- kubernetes-dns-node-cache
- kubernetes-event-exporter
- kubernetes-ingress-defaultbackend
- kubewatch
- kyverno
- kyverno-background-controller
- kyverno-cleanup-controller
- kyverno-cli
- kyverno-policy-reporter
- kyverno-policy-reporter-plugin
- kyverno-policy-reporter-reporter
- kyverno-policy-reporter-ui
- kyverno-reports-controller
- loki
- mariadb
- maven
- mdbook
- meilisearch
- melange
- memcached
- memcached-exporter
- memcached-exporter-bitnami
- metacontroller
- metrics-server
- minio
- minio-client
- minio-client-fips
- minio-fips
- nats
- nemo
- netcat
- newrelic-fluent-bit-output
- newrelic-infrastructure-bundle
- newrelic-k8s-events-forwarder
- newrelic-kube-events
- newrelic-kubernetes
- newrelic-prometheus
- newrelic-prometheus-configurator
- nfs-subdir-external-provisioner
- nginx
- nginx-fips
- node
- node-lts
- node-problem-detector
- nodetaint
- notification-controller
- ntia-conformance-checker
- ntpd-rs
- nvidia-device-plugin
- oauth2-proxy
- openai
- opensearch
- opentelemetry-collector-contrib
- opentf
- opentofu
- paranoia
- pgbouncer
- php
- postgres
- postgres-fips
- powershell
- prometheus
- prometheus-adapter
- prometheus-alertmanager
- prometheus-cloudwatch-exporter
- prometheus-config-reloader
- prometheus-elasticsearch-exporter
- prometheus-mongodb-exporter
- prometheus-mysqld-exporter
- prometheus-node-exporter
- prometheus-operator
- prometheus-postgres-exporter
- prometheus-pushgateway
- prometheus-pushgateway-bitnami
- prometheus-redis-exporter
- prometheus-statsd-exporter
- promtail
- proxysql
- pulumi
- python
- pytorch-cuda12
- qdrant
- r-base
- rabbitmq
- rabbitmq-cluster-operator
- rabbitmq-messaging-topology-operator
- redis
- redis-cluster-bitnami
- redis-sentinel
- redis-sentinel-bitnami
- redis-server-bitnami
- rekor-backfill-redis
- rekor-cli
- rekor-server
- rqlite
- ruby
- rust
- secrets-store-csi-driver
- secrets-store-csi-driver-provider-gcp
- semgrep
- sigstore-policy-controller
- sigstore-policy-controller-fips
- sigstore-scaffolding-cloudsqlproxy
- sigstore-scaffolding-ctlog-createctconfig
- sigstore-scaffolding-ctlog-managectroots
- sigstore-scaffolding-ctlog-verifyfulcio
- sigstore-scaffolding-fulcio-createcerts
- sigstore-scaffolding-getoidctoken
- sigstore-scaffolding-rekor-createsecret
- sigstore-scaffolding-trillian-createdb
- sigstore-scaffolding-trillian-createtree
- sigstore-scaffolding-trillian-updatetree
- sigstore-scaffolding-tsa-createcertchain
- sigstore-scaffolding-tuf-createsecret
- sigstore-scaffolding-tuf-server
- skaffold
- slim-toolkit-debug
- smarter-device-manager
- solr
- source-controller
- spark-operator
- spire-agent
- spire-oidc-discovery-provider
- spire-server
- stakater-reloader
- static
- stunnel
- tekton-chains
- tekton-cli
- tekton-controller
- tekton-entrypoint
- tekton-events
- tekton-nop
- tekton-resolvers
- tekton-sidecarlogresults
- tekton-webhook
- tekton-workingdirinit
- telegraf
- temporal-ui-server
- terraform
- thanos
- thanos-operator
- tigera-operator
- timestamp-authority-cli
- timestamp-authority-server
- timoni
- tomcat
- traefik
- trillian-logserver
- trillian-logsigner
- trino
- trust-manager
- vault
- vault-k8s
- vector
- vela-cli
- vertical-pod-autoscaler-admission-controller
- vertical-pod-autoscaler-recommender
- vertical-pod-autoscaler-updater
- vt
- wait-for-it
- wasmer
- wasmtime
- wavefront-proxy
- wazero
- weaviate
- wolfi-base
- zig
- zookeeper
- zot
- How Images are Tested
- Product Release Lifecycle
- Debugging
- chainctl
- chainctl auth
- chainctl auth configure-docker
- chainctl auth login
- chainctl auth logout
- chainctl auth status
- chainctl clusters
- chainctl clusters cidrs
- chainctl clusters cidrs list
- chainctl clusters describe
- chainctl clusters install
- chainctl clusters list
- chainctl clusters open
- chainctl clusters print-config
- chainctl clusters profiles
- chainctl clusters profiles list
- chainctl clusters records
- chainctl clusters records list
- chainctl clusters records vulns
- chainctl clusters records vulns describe
- chainctl clusters records vulns list
- chainctl clusters search
- chainctl clusters uninstall
- chainctl clusters update
- chainctl clusters workloads
- chainctl clusters workloads list
- chainctl config
- chainctl config edit
- chainctl config reset
- chainctl config save
- chainctl config set
- chainctl config unset
- chainctl config validate
- chainctl config view
- chainctl events
- chainctl events subscriptions
- chainctl events subscriptions create
- chainctl events subscriptions delete
- chainctl events subscriptions list
- chainctl iam
- chainctl iam account-associations
- chainctl iam account-associations check
- chainctl iam account-associations check aws
- chainctl iam account-associations check gcp
- chainctl iam account-associations describe
- chainctl iam account-associations set
- chainctl iam account-associations set aws
- chainctl iam account-associations set gcp
- chainctl iam account-associations unset
- chainctl iam account-associations unset aws
- chainctl iam account-associations unset gcp
- chainctl iam folders
- chainctl iam folders delete
- chainctl iam folders describe
- chainctl iam folders list
- chainctl iam folders update
- chainctl iam identities
- chainctl iam identities create
- chainctl iam identities create github
- chainctl iam identities create gitlab
- chainctl iam identities delete
- chainctl iam identities describe
- chainctl iam identities list
- chainctl iam identities update
- chainctl iam identity-providers
- chainctl iam identity-providers create
- chainctl iam identity-providers delete
- chainctl iam identity-providers list
- chainctl iam identity-providers update
- chainctl iam invites
- chainctl iam invites create
- chainctl iam invites delete
- chainctl iam invites list
- chainctl iam organizations
- chainctl iam organizations describe
- chainctl iam organizations list
- chainctl iam role-bindings
- chainctl iam role-bindings create
- chainctl iam role-bindings delete
- chainctl iam role-bindings list
- chainctl iam role-bindings update
- chainctl iam roles
- chainctl iam roles capabilities
- chainctl iam roles capabilities list
- chainctl iam roles create
- chainctl iam roles delete
- chainctl iam roles list
- chainctl iam roles update
- chainctl images
- chainctl images diff
- chainctl images list
- chainctl images repos
- chainctl images repos list
- chainctl policies
- chainctl policies apply
- chainctl policies delete
- chainctl policies edit
- chainctl policies list
- chainctl policies update
- chainctl policies versions
- chainctl policies versions activate
- chainctl policies versions diff
- chainctl policies versions list
- chainctl policies versions view
- chainctl policies view
- chainctl update
- chainctl version
Open Source
Education
Configuring Enforcer Options
There is currently a limited list of enforcer options that can be configured when installing Chainguard into a current Kubernetes cluster. This guide will walk you through each of these Enforcer configuration settings.
Our getting started guide provides more detailed information on how to set up Chainguard Enforce, and this document provides a reference on how to configure different behaviors for your cluster.
We will use chainctl
, the command line tool for working with Chainguard products, which you can install using our installation guide.
Enforcer Options
The list of available Enforcer options are detailed below:
webhook_fail_open
: is a flag to enable/disable a fail open behavior for the Enforcer webhooks. Default is set tofalse
.enable_cip_cache
: is a flag to enable/disable cluster image policy (CIP) caching. Default is set tofalse
.namespace_enforcement_mode
: defines the behavior of the Enforcer webhook’s label selector. This option accepts two possible values:opt-out
andopt-in
.opt-in
sets a behavior to the Enforcer webhooks where only labeled (policy.sigstore.dev/include=true
) namespaces will be verified to enforce the defined policies.opt-out
sets an opposite behavior to the Enforcer webhooks where only labeled (policy.sigstore.dev/exclude=true
) namespaces will be excluded from any verification related to the defined policies. Default is set toopt-in
.
Install with chainctl
To install with chainctl
, first authenticate into chainctl
before running a command.
chainctl auth login
With your cluster already set up, you’ll install the Chainguard Enforce Agent with chainctl
and use the flag --opt
to set any of your Enforcer specific settings.
For this example on GKE, EKS, or AKS cloud infrastructure, we enable our cluster webhook to fail open by using the next command.
chainctl cluster install --group=$GROUP_ID --context $CLUSTER --opt=webhook_fail_open=true
In this next example using a private or on-prem cluster, we configure our Chainguard cluster to enable the cluster image policy (CIP) cache and a failing open behavior for the Enforce webhooks.
chainctl cluster install --group=$GROUP_ID --private --context $CLUSTER --opt=webhook_fail_open=true --opt=enable_cip_cache=true
Be sure to replace the $GROUP_ID
and $CLUSTER
variables with the appropriate IAM Group ID, and name of your Kubernetes cluster, respectively.
If you would like more detail about installing the Chainguard Enforce Agent with chainctl
, or on getting onboarded to Chainguard Enforce, check out our Getting Started guide.
Next Steps
With Chainguard installed in your cluster, continue learning about Enforce by reading the Getting Started Guide, learn how to manage policies with chainctl
, or follow the tutorial on how to detect the Log4Shell vulnerability with Enforce.