BunkerWeb Helm Chart - Enhanced Values Reference

July 10, 2026 · View on GitHub

Comprehensive reference for all configuration values available in the BunkerWeb Helm chart, including nested structures.

⚠️ Auto-generated: This file is automatically generated from values.yaml. Do not edit manually. 🔧 Enhanced: This version includes deep analysis of nested structures like scheduler.features.

Table of Contents

  • [Global Settings](#global settings) - Global image pull secrets for private registries
  • bunkerweb - Main reverse proxy and WAF component
  • ui - Web interface for BunkerWeb management and monitoring
  • scheduler - Manages BunkerWeb configuration and coordination
  • controller - Kubernetes controller for automatic Ingress management
  • mariadb - Database backend for BunkerWeb configuration and logs
  • redis - Cache and session storage for BunkerWeb
  • grafana - Dashboards and visualization
  • prometheus - Metrics collection and storage
  • api - External API for BunkerWeb that exposes REST interface for automation tools
  • gatewayClass - Kubernetes GatewayClass resource for BunkerWeb
  • ingressClass - Kubernetes IngressClass resource for BunkerWeb
  • mcp - Model Context Protocol (MCP) server for BunkerWeb Requires BunkerWeb API component to be enabled
  • networkPolicy - Network policies for micro-segmentation
  • service - External service for BunkerWeb (LoadBalancer/NodePort)
  • settings - Configuration for BunkerWeb behavior in Kubernetes environment

Global Settings

Global image pull secrets for private registries

ParameterDescriptionTypeDefault
fullnameOverrideOverride the full resource name (default: release-chart)string""
imagePullSecretsGlobal image pull secrets for private registrieslist[]
nameOverrideOverride the chart name (default: chart name)string""
namespaceOverrideOverride the namespace (default: release namespace)string""
nodeSelectorNode selector for all pods (can be overridden per component)object{}
tolerationsTolerations for all pods (can be overridden per component)list[]
topologySpreadConstraintsTopology spread constraints for better pod distributionlist[]

bunkerweb

Main reverse proxy and WAF component

ParameterDescriptionTypeDefault
bunkerwebMain reverse proxy and WAF componentobjectSee nested values
bunkerweb.affinityPod affinity rulesobject{}
bunkerweb.enableInstancePod annotations for Kubernetes integration (required) This enables BunkerWeb to be managed by the co...booltrue
bunkerweb.enabledEnable BunkerWeb component, should always be true except for sidecar use casesbooltrue
bunkerweb.extraEnvsAdditional environment variableslist[]
bunkerweb.hostPortsUse host ports for direct traffic (only for DaemonSet) Allows binding to ports 80/443 on each nodebooltrue
bunkerweb.hpaHorizontal Pod Autoscaler (HPA) configuration Make sure to set resources.requests for CPU and/or mem...objectSee nested values
bunkerweb.imagePullSecretsImage pull secrets (overrides global setting)list[]
bunkerweb.initContainersCustom init containers for the BunkerWeb pod Runs before the BunkerWeb container (e.g. to prepare a ...list[]
bunkerweb.kindDeployment type: "DaemonSet" or "Deployment" or "StatefulSet" DaemonSet: Runs one pod per node (reco...string"Deployment"
bunkerweb.livenessProbeLiveness probe configurationobjectSee nested values
bunkerweb.nodeSelectorNode selector (overrides global setting)object{}
bunkerweb.pdb# PodDisruptionBudget for default backend # bunkerweb Pod Disruption Budget configuration # ref: htt...objectSee nested values
bunkerweb.podAnnotationsAdditional pod annotationsobject{}
bunkerweb.podAntiAffinityPresetAnti-affinity preset: "soft" or "hard" soft: Prefers not to schedule pods on same node hard: Never s...string"soft"
bunkerweb.podLabelsAdditional pod labelsobject{}
bunkerweb.pullPolicyConfiguration for pullPolicystring"IfNotPresent"
bunkerweb.readinessProbeReadiness probe configurationobjectSee nested values
bunkerweb.replicasNumber of replicas (for Deployment & StatefulSet kind) Minimum 2 for high availability and PodDisrup...int1
bunkerweb.repositoryContainer image configuration Also available at ghcr.io/bunkerity/bunkerwebstring"docker.io/bunkerity/bunkerweb"
bunkerweb.securityContextSecurity context for BunkerWeb containerobjectSee nested values
bunkerweb.serviceInternal service configuration (for inter-pod communication)objectSee nested values
bunkerweb.tagConfiguration for tagstring"1.6.12"
bunkerweb.tolerationsTolerations (overrides global setting)list[]
bunkerweb.volumeMountsCustom volume mounts configuration Defines where to mount the custom volumes in the containerlist[]
bunkerweb.volumesCustom volumes configuration Allows mounting additional volumes to the BunkerWeb containerlist[]
bunkerweb.hpa.behaviorHPA behavior configuration Controls the scaling speed and stabilizationobjectSee nested values
bunkerweb.hpa.cpuCPU-based scaling configurationobjectSee nested values
bunkerweb.hpa.enabledEnable HPA for bunkerweb componentboolfalse
bunkerweb.hpa.maxReplicasMaximum number of replicasint10
bunkerweb.hpa.memoryMemory-based scaling configurationobjectSee nested values
bunkerweb.hpa.minReplicasMinimum number of replicas (ignored for DaemonSet)int2
bunkerweb.hpa.nameOverrideOptional name override for the target resource If empty, uses the default release fullnamestring""
bunkerweb.hpa.targetKindTarget kind for scaling (Deployment or StatefulSet)string"Deployment"
bunkerweb.livenessProbe.execConfiguration for execobjectSee nested values
bunkerweb.livenessProbe.failureThresholdConfiguration for failureThresholdint3
bunkerweb.livenessProbe.initialDelaySecondsConfiguration for initialDelaySecondsint30
bunkerweb.livenessProbe.periodSecondsConfiguration for periodSecondsint5
bunkerweb.livenessProbe.timeoutSecondsConfiguration for timeoutSecondsint1
bunkerweb.pdb.createEnable creation of Pod Disruption Budget Make sure you have at least 2 replicas if enabledbooltrue
bunkerweb.pdb.maxUnavailableMaximum number/percentage of pods that can be unavailablestring""
bunkerweb.pdb.minAvailableMinimum number/percentage of pods that must remain availablestring""
bunkerweb.readinessProbe.execConfiguration for execobjectSee nested values
bunkerweb.readinessProbe.failureThresholdConfiguration for failureThresholdint3
bunkerweb.readinessProbe.initialDelaySecondsConfiguration for initialDelaySecondsint30
bunkerweb.readinessProbe.periodSecondsConfiguration for periodSecondsint1
bunkerweb.readinessProbe.timeoutSecondsConfiguration for timeoutSecondsint1
bunkerweb.securityContext.allowPrivilegeEscalationConfiguration for allowPrivilegeEscalationboolfalse
bunkerweb.securityContext.capabilitiesConfiguration for capabilitiesobjectSee nested values
bunkerweb.securityContext.runAsGroupConfiguration for runAsGroupint101
bunkerweb.securityContext.runAsUserConfiguration for runAsUserint101
bunkerweb.service.headlessUse headless service (clusterIP: None) for service discovery If false, creates a ClusterIP service w...booltrue
bunkerweb.hpa.behavior.scaleDownConfiguration for scaleDownobjectSee nested values
bunkerweb.hpa.behavior.scaleUpConfiguration for scaleUpobjectSee nested values
bunkerweb.hpa.cpu.enabledConfiguration for enabledbooltrue
bunkerweb.hpa.cpu.targetAverageUtilizationConfiguration for targetAverageUtilizationint90
bunkerweb.hpa.memory.enabledConfiguration for enabledboolfalse
bunkerweb.hpa.memory.targetAverageUtilizationConfiguration for targetAverageUtilizationint90
bunkerweb.livenessProbe.exec.commandConfiguration for commandlist['/usr/share/bunkerweb/helpers/healthcheck.sh']
bunkerweb.readinessProbe.exec.commandConfiguration for commandlist['/usr/share/bunkerweb/helpers/healthcheck.sh', 'ok']
bunkerweb.securityContext.capabilities.dropConfiguration for droplist['ALL']

ui

Web interface for BunkerWeb management and monitoring

ParameterDescriptionTypeDefault
uiWeb interface for BunkerWeb management and monitoringobjectSee nested values
ui.enabledEnable the web UIbooltrue
ui.extraEnvsAdditional environment variableslist[]
ui.imagePullSecretsImage pull secrets (overrides global setting)list[]
ui.livenessProbeLiveness probe configurationobjectSee nested values
ui.logsLog collection configurationobjectSee nested values
ui.nodeSelectorNode selector (overrides global setting)object{}
ui.podAnnotationsAdditional pod annotationsobject{}
ui.podLabelsAdditional pod labelsobject{}
ui.pullPolicyConfiguration for pullPolicystring"IfNotPresent"
ui.readinessProbeReadiness probe configurationobjectSee nested values
ui.repositoryContainer image configuration Also available at ghcr.io/bunkerity/bunkerweb-uistring"docker.io/bunkerity/bunkerweb-ui"
ui.securityContextSecurity context for UI containerobjectSee nested values
ui.tagConfiguration for tagstring"1.6.12"
ui.tolerationsTolerations (overrides global setting)list[]
ui.livenessProbe.execConfiguration for execobjectSee nested values
ui.livenessProbe.failureThresholdConfiguration for failureThresholdint3
ui.livenessProbe.initialDelaySecondsConfiguration for initialDelaySecondsint30
ui.livenessProbe.periodSecondsConfiguration for periodSecondsint5
ui.livenessProbe.timeoutSecondsConfiguration for timeoutSecondsint1
ui.logs.enabledEnable log collection sidecar ONLY WORKING FROM BunkerWeb version 1.6.7 and laterboolfalse
ui.logs.logrotateLog rotation and cleanup configuration Periodically rotates UI logs and removes old log filesobjectSee nested values
ui.logs.persistencePersistent storage for logsobjectSee nested values
ui.logs.pullPolicyConfiguration for pullPolicystring"IfNotPresent"
ui.logs.repositorySyslog-ng container for log collectionstring"docker.io/balabit/syslog-ng"
ui.logs.syslogAddressSyslog address for log forwarding Automatically set to Sidecar service if empty Format: HOST:PORT "s...string""
ui.logs.tagConfiguration for tagstring"4.8.0"
ui.logs.timezoneTimezone for the syslog-ng container If empty, uses the container default (UTC)string""
ui.readinessProbe.execConfiguration for execobjectSee nested values
ui.readinessProbe.failureThresholdConfiguration for failureThresholdint3
ui.readinessProbe.initialDelaySecondsConfiguration for initialDelaySecondsint30
ui.readinessProbe.periodSecondsConfiguration for periodSecondsint1
ui.readinessProbe.timeoutSecondsConfiguration for timeoutSecondsint1
ui.securityContext.allowPrivilegeEscalationConfiguration for allowPrivilegeEscalationboolfalse
ui.securityContext.capabilitiesConfiguration for capabilitiesobjectSee nested values
ui.securityContext.runAsGroupConfiguration for runAsGroupint101
ui.securityContext.runAsUserConfiguration for runAsUserint101
ui.livenessProbe.exec.commandConfiguration for commandlist['/usr/share/bunkerweb/helpers/healthcheck-ui.sh']
ui.logs.logrotate.enabledEnable periodic log rotation for UI logsbooltrue
ui.logs.logrotate.filesLog file patterns to rotate (required when logrotate.enabled=true). This list is matched against log...list['bw-autoconf.log', 'bw-scheduler.log', 'bw-ui-access.log', 'bw-ui.log']
ui.logs.logrotate.rotateNumber of days to keep UI log files Log files older than this value will be automatically removedint2
ui.logs.logrotate.scheduleCron schedule for the log rotation job Default: daily at 00:00string"0 0 * * *"
ui.logs.persistence.sizeConfiguration for sizestring"5Gi"
ui.logs.persistence.storageClassStorage class for log persistence Leave empty for default storage classstring""
ui.readinessProbe.exec.commandConfiguration for commandlist['/usr/share/bunkerweb/helpers/healthcheck-ui.sh']
ui.securityContext.capabilities.dropConfiguration for droplist['ALL']

scheduler

Manages BunkerWeb configuration and coordination

ParameterDescriptionTypeDefault
schedulerManages BunkerWeb configuration and coordinationobjectSee nested values
scheduler.extraEnvsAdditional environment variables for advanced configuration These will be merged with the feature co...list[]
scheduler.featuresBunkerWeb feature configuration These settings control the behavior of BunkerWeb security features T...objectSee nested values
scheduler.imagePullSecretsImage pull secrets (overrides global setting)list[]
scheduler.initContainersCustom init containers for the scheduler pod Runs before the scheduler container; commonly used to i...list[]
scheduler.livenessProbeLiveness probe configurationobjectSee nested values
scheduler.maxWorkersMaximum number of threads in the job executor pool Empty string falls back to the upstream default (...string""
scheduler.nodeSelectorNode selector (overrides global setting)object{}
scheduler.podAnnotationsAdditional pod annotationsobject{}
scheduler.podLabelsAdditional pod labelsobject{}
scheduler.proLicenseKeyPRO Features configuration BunkerWeb PRO license key for advanced featuresstring""
scheduler.pullPolicyConfiguration for pullPolicystring"IfNotPresent"
scheduler.repositoryContainer image configuration Also available at ghcr.io/bunkerity/bunkerweb-schedulerstring"docker.io/bunkerity/bunkerweb-scheduler"
scheduler.securityContextSecurity context for scheduler containerobjectSee nested values
scheduler.tagConfiguration for tagstring"1.6.12"
scheduler.tolerationsTolerations (overrides global setting)list[]
scheduler.usePrometheusExporterEnable Prometheus metrics exporter and creates a service for it Requires BunkerWeb PRO licenseboolfalse
scheduler.volumeMountsCustom volume mounts for the scheduler container Where to mount scheduler.volumes inside the contain...list[]
scheduler.volumesCustom volumes for the scheduler pod Used together with scheduler.volumeMounts (e.g. a PVC holding c...list[]
scheduler.features.antibotConfiguration for antibotobjectSee nested values
scheduler.features.authBasicConfiguration for authBasicobjectSee nested values
scheduler.features.backupConfiguration for backupobjectSee nested values
scheduler.features.badBehaviorConfiguration for badBehaviorobjectSee nested values
scheduler.features.blacklistConfiguration for blacklistobjectSee nested values
scheduler.features.bunkerNetConfiguration for bunkerNetobjectSee nested values
scheduler.features.clientCacheConfiguration for clientCacheobjectSee nested values
scheduler.features.compressionConfiguration for compressionobjectSee nested values
scheduler.features.corsConfiguration for corsobjectSee nested values
scheduler.features.crowdSecConfiguration for crowdSecobjectSee nested values
scheduler.features.customSslCustom SSL certificateobjectSee nested values
scheduler.features.databasePoolConfiguration for databasePoolobjectSee nested values
scheduler.features.dnsblConfiguration for dnsblobjectSee nested values
scheduler.features.errorsConfiguration for errorsobjectSee nested values
scheduler.features.geoBlockingConfiguration for geoBlockingobjectSee nested values
scheduler.features.globalConfiguration for globalobjectSee nested values
scheduler.features.greylistConfiguration for greylistobjectSee nested values
scheduler.features.grpcConfiguration for grpcobjectSee nested values
scheduler.features.headersConfiguration for headersobjectSee nested values
scheduler.features.htmlInjectionConfiguration for htmlInjectionobjectSee nested values
scheduler.features.letsEncryptLet's Encrypt configurationobjectSee nested values
scheduler.features.metricsConfiguration for metricsobjectSee nested values
scheduler.features.modsecurityConfiguration for modsecurityobjectSee nested values
scheduler.features.phpConfiguration for phpobjectSee nested values
scheduler.features.rateLimitConfiguration for rateLimitobjectSee nested values
scheduler.features.realIpConfiguration for realIpobjectSee nested values
scheduler.features.redirectConfiguration for redirectobjectSee nested values
scheduler.features.reverseProxyConfiguration for reverseProxyobjectSee nested values
scheduler.features.reverseScanConfiguration for reverseScanobjectSee nested values
scheduler.features.robotsTxtConfiguration for robotsTxtobjectSee nested values
scheduler.features.securityTxtConfiguration for securityTxtobjectSee nested values
scheduler.features.sessionsConfiguration for sessionsobjectSee nested values
scheduler.features.sslConfiguration for sslobjectSee nested values
scheduler.features.streamConfiguration for streamobjectSee nested values
scheduler.features.timeoutsConfiguration for timeoutsobjectSee nested values
scheduler.features.whitelistConfiguration for whitelistobjectSee nested values
scheduler.livenessProbe.execConfiguration for execobjectSee nested values
scheduler.livenessProbe.failureThresholdConfiguration for failureThresholdint3
scheduler.livenessProbe.initialDelaySecondsConfiguration for initialDelaySecondsint180
scheduler.livenessProbe.periodSecondsConfiguration for periodSecondsint10
scheduler.livenessProbe.timeoutSecondsConfiguration for timeoutSecondsint1
scheduler.securityContext.allowPrivilegeEscalationConfiguration for allowPrivilegeEscalationboolfalse
scheduler.securityContext.capabilitiesConfiguration for capabilitiesobjectSee nested values
scheduler.securityContext.runAsGroupConfiguration for runAsGroupint101
scheduler.securityContext.runAsUserConfiguration for runAsUserint101
scheduler.features.antibot.antibotIgnoreIpIPs to bypass antibot challenges (space-separated)string""
scheduler.features.antibot.antibotIgnoreUriURIs to bypass antibot challenges (regex patterns, space-separated)string""
scheduler.features.antibot.antibotRdnsGlobalOnly perform reverse DNS antibot checks on public IP addresses ("yes" or "no")string""
scheduler.features.antibot.antibotRecaptchaClassicUse classic reCAPTCHA instead of newer versionstring""
scheduler.features.antibot.antibotTimeResolveTime limit to complete challenge (seconds)string""
scheduler.features.antibot.antibotTimeValidChallenge validity duration (seconds)string""
scheduler.features.antibot.antibotUriChallenge URI (must be unique and not used by your application)string""
scheduler.features.antibot.useAntibotAntibot challenge type: "no", "cookie", "javascript", "captcha", "recaptcha", "hcaptcha", "turnstile...string""
scheduler.features.authBasic.authBasicLocationProtection scope: "sitewide" or specific pathstring""
scheduler.features.authBasic.authBasicPasswordPassword (multiple values supported with suffix _1, _2, etc.)string""
scheduler.features.authBasic.authBasicTextAuthentication prompt textstring""
scheduler.features.authBasic.authBasicUserUsername (multiple values supported with suffix _1, _2, etc.)string""
scheduler.features.authBasic.useAuthBasicEnable HTTP Basic Authenticationstring""
scheduler.features.backup.backupDirectoryBackup directorystring""
scheduler.features.backup.backupRotationNumber of backups to retainstring""
scheduler.features.backup.backupScheduleBackup frequency: "daily", "weekly", "monthly"string""
scheduler.features.backup.useBackupEnable backup functionalitystring""
scheduler.features.badBehavior.badBehaviorBanTimeBan duration (seconds, 0 = permanent)string""
scheduler.features.badBehavior.badBehaviorCountTimeTime window for counting bad requests (seconds)string""
scheduler.features.badBehavior.badBehaviorStatusCodesHTTP status codes considered "bad" (space-separated)string""
scheduler.features.badBehavior.badBehaviorThresholdThreshold before banning IPstring""
scheduler.features.badBehavior.useBadBehaviorEnable bad behavior detectionstring""
scheduler.features.blacklist.blacklistCommunityListsCommunity blacklists to usestring""
scheduler.features.blacklist.blacklistIpManual IP blacklist (space-separated)string""
scheduler.features.blacklist.blacklistIpUrlsBlacklist URLs for automatic updatesstring""
scheduler.features.blacklist.useBlacklistEnable blacklist functionalitystring""
scheduler.features.bunkerNet.bunkernetServerBunkerNet API serverstring""
scheduler.features.bunkerNet.useBunkernetEnable BunkerNet threat intelligencestring""
scheduler.features.clientCache.clientCacheControlCache-Control header valuestring""
scheduler.features.clientCache.clientCacheEtagEnable ETagsstring""
scheduler.features.clientCache.clientCacheExtensionsFile extensions to cache (pipe-separated)string""
scheduler.features.clientCache.useClientCacheEnable client-side cachingstring""
scheduler.features.compression.brotliCompLevelBrotli compression level (0-11)string""
scheduler.features.compression.gzipCompLevelGZIP compression level (1-9)string""
scheduler.features.compression.gzipMinLengthMinimum response size for compression (bytes)string""
scheduler.features.compression.useBrotliEnable Brotli compressionstring""
scheduler.features.compression.useGzipEnable GZIP compressionstring""
scheduler.features.cors.corsAllowCredentialsAllow credentialsstring""
scheduler.features.cors.corsAllowHeadersAllowed headersstring""
scheduler.features.cors.corsAllowMethodsAllowed HTTP methodsstring""
scheduler.features.cors.corsAllowOriginAllowed origins (regex pattern or "self" or "*")string""
scheduler.features.cors.useCorsEnable CORSstring""
scheduler.features.crowdSec.crowdSecApiCrowdSec Local API URLstring""
scheduler.features.crowdSec.crowdSecApiKeyCrowdSec API keystring""
scheduler.features.crowdSec.crowdSecAppsecUrlAppSec component URL (optional)string""
scheduler.features.crowdSec.crowdSecModeOperation mode: "live" or "stream"string""
scheduler.features.crowdSec.useCrowdSecEnable CrowdSec integrationstring""
scheduler.features.customSsl.customSslCertCertificate file pathstring""
scheduler.features.customSsl.customSslCertPriorityCertificate priority: "file" or "data"string""
scheduler.features.customSsl.customSslKeyPrivate key file pathstring""
scheduler.features.customSsl.useCustomSslUse custom SSL certificatesstring""
scheduler.features.databasePool.databasePoolMaxOverflowMax connections above pool sizestring""
scheduler.features.databasePool.databasePoolPrePingTest connections for liveness on checkoutstring""
scheduler.features.databasePool.databasePoolRecycleSeconds after which connection is recycled (-1 to disable)string""
scheduler.features.databasePool.databasePoolResetOnReturnHow to reset connection on return (auto/none/rollback)string""
scheduler.features.databasePool.databasePoolSizeNumber of connections in the poolstring""
scheduler.features.databasePool.databasePoolTimeoutSeconds to wait for a connection from poolstring""
scheduler.features.databasePool.databaseRequestRetryAttemptsRetry attempts for transient errorsstring""
scheduler.features.databasePool.databaseRequestRetryDelayDelay between retry attempts (seconds)string""
scheduler.features.databasePool.databaseRetryTimeoutMax seconds to wait for database on startupstring""
scheduler.features.dnsbl.dnsblListDNSBL servers to query (space-separated)string""
scheduler.features.dnsbl.useDnsblEnable DNSBL checkingstring""
scheduler.features.errors.errorsCustom error page mappings (ERROR_CODE=/path/to/file.html)string""
scheduler.features.errors.interceptedErrorCodesHTTP error codes to interceptstring""
scheduler.features.geoBlocking.blacklistCountryBlocked countries (ISO 3166-1 alpha-2 codes or group tokens like @EU, @G7, @FIVE_EYES, space-separat...string""
scheduler.features.geoBlocking.whitelistCountryAllowed countries (ISO 3166-1 alpha-2 codes or group tokens like @EU, @G7, @FIVE_EYES, space-separat...string""
scheduler.features.global.disableDefaultServerDefault server protectionstring""
scheduler.features.global.disableDefaultServerStrictSniConfiguration for disableDefaultServerStrictSnistring""
scheduler.features.global.maxHeadersMaximum number of header lines per request (rejected if exceeded)string""
scheduler.features.global.securityModeSecurity mode: "detect" for monitoring only, "block" for active protectionstring""
scheduler.features.global.workerShutdownTimeoutTimeout for graceful shutdown of old NGINX workers after reloads (e.g. "30s")string""
scheduler.features.greylist.greylistIpIP addresses to greylist (space-separated CIDR)string""
scheduler.features.greylist.greylistIpUrlsGreylist URLs for automatic updatesstring""
scheduler.features.greylist.useGreylistEnable greylist functionalitystring""
scheduler.features.grpc.grpcConnectTimeoutTimeout when connecting to gRPC upstreamstring""
scheduler.features.grpc.grpcCustomHostOverride Host header sent to gRPC upstreamstring""
scheduler.features.grpc.grpcHeadersHeaders to send to gRPC upstream (semicolon-separated)string""
scheduler.features.grpc.grpcHideHeadersHeaders to hide from clientsstring""
scheduler.features.grpc.grpcHostUpstream value (e.g., grpc://app:50051 or grpcs://app:443)string""
scheduler.features.grpc.grpcIncludesAdditional config for gRPC location blockstring""
scheduler.features.grpc.grpcInterceptErrorsIntercept and rewrite gRPC upstream errorsstring""
scheduler.features.grpc.grpcNextUpstreamConditions for selecting next gRPC upstream serverstring""
scheduler.features.grpc.grpcNextUpstreamTimeoutTime limit for passing request to next serverstring""
scheduler.features.grpc.grpcNextUpstreamTriesMax attempts to pass request to next serverstring""
scheduler.features.grpc.grpcReadTimeoutTimeout when reading from gRPC upstreamstring""
scheduler.features.grpc.grpcSendTimeoutTimeout when sending to gRPC upstreamstring""
scheduler.features.grpc.grpcSocketKeepaliveEnable keepalive for gRPC upstream socketsstring""
scheduler.features.grpc.grpcSslSniEnable SNI for gRPC upstreamstring""
scheduler.features.grpc.grpcSslSniNameSNI host name for gRPC upstreamstring""
scheduler.features.grpc.grpcUrlLocation URL to proxy to gRPC upstreamstring""
scheduler.features.grpc.useGrpcEnable gRPC reverse proxy modestring""
scheduler.features.headers.contentSecurityPolicyContent Security Policystring""
scheduler.features.headers.contentSecurityPolicyReportOnlyCSP report-only modestring""
scheduler.features.headers.customHeaderCustom headers (multiple values supported with suffix _1, _2, etc.)string""
scheduler.features.headers.referrerPolicyReferrer Policystring""
scheduler.features.headers.removeHeadersHeaders to remove (space-separated)string""
scheduler.features.headers.strictTransportSecurityHSTS headerstring""
scheduler.features.headers.xContentTypeOptionsX-Content-Type-Options headerstring""
scheduler.features.headers.xFrameOptionsX-Frame-Options headerstring""
scheduler.features.htmlInjection.injectBodyHTML to inject before string""
scheduler.features.htmlInjection.injectHeadHTML to inject in sectionstring""
scheduler.features.letsEncrypt.autoLetsEncryptEnable automatic Let's Encrypt certificatesstring""
scheduler.features.letsEncrypt.emailLetsEncryptEmail for Let's Encrypt notificationsstring""
scheduler.features.letsEncrypt.letsEncryptChallengeChallenge type: "http" or "dns"string""
scheduler.features.letsEncrypt.letsEncryptCustomProfileCustom certificate profile (overrides letsEncryptProfile)string""
scheduler.features.letsEncrypt.letsEncryptDnsProviderDNS provider for DNS challengesstring""
scheduler.features.letsEncrypt.letsEncryptMaxLogBackupsMaximum number of rotated certbot log files to keep per jobstring""
scheduler.features.letsEncrypt.letsEncryptProfileCertificate profile: "classic" or other profilesstring""
scheduler.features.letsEncrypt.letsEncryptServerCertificate authority server: "letsencrypt" or "zerossl"string""
scheduler.features.letsEncrypt.letsEncryptZerosslApiConnectTimeoutZeroSSL API connection timeout (seconds)string""
scheduler.features.letsEncrypt.letsEncryptZerosslApiKeyZeroSSL API key (optional, falls back to email)string""
scheduler.features.letsEncrypt.letsEncryptZerosslApiMaxTimeZeroSSL API max time (seconds)string""
scheduler.features.letsEncrypt.letsEncryptZerosslApiRetryZeroSSL API retry countstring""
scheduler.features.letsEncrypt.letsEncryptZerosslApiRetryDelayZeroSSL API retry delay (seconds)string""
scheduler.features.letsEncrypt.useLetsEncryptWildcardEnable wildcard certificates (DNS challenges only)string""
scheduler.features.metrics.datastoreLruSizeSlot count for the shared per-worker datastore LRU (accepts k/m suffix)string""
scheduler.features.metrics.maxLruHistoryCaps per-worker LRU event history (accepts k/m suffix, e.g. "1k")string""
scheduler.features.metrics.metricsMaxBlockedRequestsMax blocked requests per workerstring""
scheduler.features.metrics.metricsMaxBlockedRequestsRedisMax blocked requests stored in Redis (accepts k/m suffix, e.g. "10k")string""
scheduler.features.metrics.metricsMemorySizeMemory size for metrics storagestring""
scheduler.features.metrics.metricsSaveToRedisSave metrics to Redisstring""
scheduler.features.metrics.useMetricsEnable metrics collectionstring""
scheduler.features.modsecurity.modsecurityCrsPluginsList of CRS plugins to install (space-separated)string""
scheduler.features.modsecurity.modsecurityCrsVersionCRS version: "3", "4", or "nightly"string""
scheduler.features.modsecurity.modsecuritySecRequestBodyLimitSecRequestBodyLimit (maximum request body size ModSecurity will inspect, bytes) Empty string falls b...string""
scheduler.features.modsecurity.modsecuritySecRequestBodyLimitActionSecRequestBodyLimitAction ("Reject" returns HTTP 413, "ProcessPartial" inspects only the prefix)string""
scheduler.features.modsecurity.modsecuritySecRuleEngineRule engine: "On", "DetectionOnly", or "Off"string""
scheduler.features.modsecurity.useModsecurityEnable ModSecurity Web Application Firewallstring""
scheduler.features.modsecurity.useModsecurityCrsEnable OWASP Core Rule Setstring""
scheduler.features.modsecurity.useModsecurityCrsPluginsEnable CRS plugins for enhanced protectionstring""
scheduler.features.php.localPhpLocal PHP-FPM socketstring""
scheduler.features.php.localPhpPathLocal PHP-FPM pathstring""
scheduler.features.php.remotePhpRemote PHP-FPM hoststring""
scheduler.features.php.remotePhpPortRemote PHP-FPM portstring""
scheduler.features.php.remotephpPathRemote PHP-FPM pathstring""
scheduler.features.rateLimit.limitConnMaxHttp1Max HTTP/1.1 connections per IPstring""
scheduler.features.rateLimit.limitConnMaxHttp2Max HTTP/2 connections per IPstring""
scheduler.features.rateLimit.limitConnMaxHttp3Max HTTP/3 connections per IPstring""
scheduler.features.rateLimit.limitReqRateRate limit (e.g., "2r/s", "60r/m")string""
scheduler.features.rateLimit.limitReqUrlURL pattern to apply rate limitingstring""
scheduler.features.rateLimit.useLimitConnEnable connection limitingstring""
scheduler.features.rateLimit.useLimitReqEnable request rate limitingstring""
scheduler.features.realIp.realIpFromTrusted proxy IPs (space-separated CIDR)string""
scheduler.features.realIp.realIpHeaderHeader containing real IPstring""
scheduler.features.realIp.realIpRecursiveEnable recursive IP detectionstring""
scheduler.features.realIp.useProxyProtocolEnable PROXY protocol supportstring""
scheduler.features.realIp.useRealIpEnable real IP detection (behind proxy/load balancer)string""
scheduler.features.redirect.redirectFromPath to redirect fromstring""
scheduler.features.redirect.redirectToDestination URLstring""
scheduler.features.redirect.redirectToRequestUriPreserve request URIstring""
scheduler.features.redirect.redirectToStatusCodeHTTP status code for redirectstring""
scheduler.features.reverseProxy.reverseProxyConnectTimeoutConnection timeoutstring""
scheduler.features.reverseProxy.reverseProxyHostBackend server URLs (multiple values supported with suffix _1, _2, etc.)string""
scheduler.features.reverseProxy.reverseProxyHttpVersionHTTP protocol version used to talk to the upstream ("1.0", "1.1", or "2") WebSocket upstreams stay o...string""
scheduler.features.reverseProxy.reverseProxyKeepaliveEnable keepalive connections with the proxied resource ("yes" or "no")string""
scheduler.features.reverseProxy.reverseProxyModsecurityEnable or disable ModSecurity for this reverse proxy location ("yes" or "no") Set to "no" for endpoi...string""
scheduler.features.reverseProxy.reverseProxyReadTimeoutRead timeoutstring""
scheduler.features.reverseProxy.reverseProxySendTimeoutSend timeoutstring""
scheduler.features.reverseProxy.reverseProxySslTrustedCertificateAbsolute path to a PEM CA bundle used to verify the upstream certificate. The file must exist on the...string""
scheduler.features.reverseProxy.reverseProxySslVerifyVerify the upstream server's SSL certificate ("yes" or "no") Requires reverseProxySslTrustedCertific...string""
scheduler.features.reverseProxy.reverseProxySslVerifyDepthVerification depth in the upstream server certificate chainstring""
scheduler.features.reverseProxy.reverseProxyUrlURL paths to proxy (multiple values supported with suffix _1, _2, etc.)string""
scheduler.features.reverseProxy.useReverseProxyEnable reverse proxy functionalitystring""
scheduler.features.reverseScan.reverseScanPortsPorts to scan on client (space-separated)string""
scheduler.features.reverseScan.reverseScanTimeoutScan timeout (milliseconds)string""
scheduler.features.reverseScan.useReverseScanEnable client port scanningstring""
scheduler.features.robotsTxt.robotsTxtCommunityListsCommunity lists to includestring""
scheduler.features.robotsTxt.robotsTxtDarkvisitorsTokenDarkVisitors API tokenstring""
scheduler.features.robotsTxt.robotsTxtRuleManual robots.txt rules (multiple values supported)string""
scheduler.features.robotsTxt.robotsTxtSitemapSitemap URLs (multiple values supported)string""
scheduler.features.robotsTxt.useRobotsTxtEnable robots.txt generationstring""
scheduler.features.securityTxt.securityTxtContactContact information (multiple values supported)string""
scheduler.features.securityTxt.securityTxtExpiresExpiration date (ISO 8601 format)string""
scheduler.features.securityTxt.securityTxtPolicySecurity policy URLstring""
scheduler.features.securityTxt.useSecurityTxtEnable security.txt filestring""
scheduler.features.sessions.sessionsAbsoluteTimeoutAbsolute timeout (seconds)string""
scheduler.features.sessions.sessionsCheckIpCheck IP address consistencystring""
scheduler.features.sessions.sessionsCheckUserAgentCheck User-Agent consistencystring""
scheduler.features.sessions.sessionsDomainDomain attribute on the session cookie (e.g. "example.com" to share antibot challenge state across s...string""
scheduler.features.sessions.sessionsIdlingTimeoutIdle timeout (seconds)string""
scheduler.features.sessions.sessionsNameSession cookie namestring""
scheduler.features.sessions.sessionsRollingTimeoutRolling timeout (seconds)string""
scheduler.features.sessions.sessionsSecretSession secret key (leave empty to auto-generate)string""
scheduler.features.ssl.autoRedirectHttpToHttpsAuto-redirect HTTP to HTTPSstring""
scheduler.features.ssl.listenHttpsEnable HTTPS listeningstring""
scheduler.features.ssl.sslCiphersLevelCipher security level: "old", "intermediate", "modern"string""
scheduler.features.ssl.sslProtocolsSSL protocols to supportstring""
scheduler.features.stream.listenStreamEnable non-ssl passthrough listeningstring""
scheduler.features.stream.listenStreamPortPort for non-ssl passthrough (empty to disable)string""
scheduler.features.stream.listenStreamPortSslPort for ssl passthrough (empty to disable)string""
scheduler.features.timeouts.clientBodyTimeoutTimeout for reading client request bodystring""
scheduler.features.timeouts.clientHeaderTimeoutTimeout for reading client request headerstring""
scheduler.features.timeouts.keepaliveTimeoutTimeout for keep-alive client connectionsstring""
scheduler.features.timeouts.sendTimeoutTimeout for transmitting response to clientstring""
scheduler.features.whitelist.useWhitelistEnable whitelist functionalitystring""
scheduler.features.whitelist.whitelistIpManual IP whitelist (space-separated CIDR)string""
scheduler.features.whitelist.whitelistIpUrlsWhitelist URLs for automatic updatesstring""
scheduler.livenessProbe.exec.commandConfiguration for commandlist['/usr/share/bunkerweb/helpers/healthcheck-scheduler.sh']
scheduler.securityContext.capabilities.dropConfiguration for droplist['ALL']

controller

Kubernetes controller for automatic Ingress management

ParameterDescriptionTypeDefault
controllerKubernetes controller for automatic Ingress managementobjectSee nested values
controller.enabledEnable the controller (required for Ingress integration)booltrue
controller.extraEnvsAdditional environment variableslist[]
controller.imagePullSecretsImage pull secrets (overrides global setting)list[]
controller.initContainersCustom init containers for the controller pod Runs before the controller containerlist[]
controller.livenessProbeLiveness probe configurationobjectSee nested values
controller.nodeSelectorNode selector (overrides global setting)object{}
controller.podAnnotationsAdditional pod annotationsobject{}
controller.podLabelsAdditional pod labelsobject{}
controller.pullPolicyConfiguration for pullPolicystring"IfNotPresent"
controller.readinessProbeReadiness probe configurationobjectSee nested values
controller.repositoryContainer image configuration Also available at ghcr.io/bunkerity/bunkerweb-autoconfstring"docker.io/bunkerity/bunkerweb-autoconf"
controller.securityContextSecurity context for controller containerobjectSee nested values
controller.settingsRecheckIntervalSeconds between re-applying service labels when the set of valid settings changes (for example a PRO...string""
controller.tagConfiguration for tagstring"1.6.12"
controller.tolerationsTolerations (overrides global setting)list[]
controller.volumeMountsWhere to mount controller.volumes inside the containerlist[]
controller.volumesCustom volumes for the controller pod (e.g. a CA bundle for the Kubernetes API when settings.kuberne...list[]
controller.livenessProbe.execConfiguration for execobjectSee nested values
controller.livenessProbe.failureThresholdConfiguration for failureThresholdint3
controller.livenessProbe.initialDelaySecondsConfiguration for initialDelaySecondsint30
controller.livenessProbe.periodSecondsConfiguration for periodSecondsint5
controller.livenessProbe.timeoutSecondsConfiguration for timeoutSecondsint1
controller.readinessProbe.execConfiguration for execobjectSee nested values
controller.readinessProbe.failureThresholdConfiguration for failureThresholdint3
controller.readinessProbe.initialDelaySecondsConfiguration for initialDelaySecondsint120
controller.readinessProbe.periodSecondsConfiguration for periodSecondsint1
controller.readinessProbe.timeoutSecondsConfiguration for timeoutSecondsint1
controller.securityContext.allowPrivilegeEscalationConfiguration for allowPrivilegeEscalationboolfalse
controller.securityContext.capabilitiesConfiguration for capabilitiesobjectSee nested values
controller.securityContext.runAsGroupConfiguration for runAsGroupint101
controller.securityContext.runAsUserConfiguration for runAsUserint101
controller.livenessProbe.exec.commandConfiguration for commandlist['/usr/share/bunkerweb/helpers/healthcheck-autoconf.sh']
controller.readinessProbe.exec.commandConfiguration for commandlist['/usr/share/bunkerweb/helpers/healthcheck-autoconf.sh']
controller.securityContext.capabilities.dropConfiguration for droplist['ALL']

mariadb

Database backend for BunkerWeb configuration and logs

ParameterDescriptionTypeDefault
mariadbDatabase backend for BunkerWeb configuration and logsobjectSee nested values
mariadb.argsAdditional arguments for MariaDBlist['--max-allowed-packet=67108864']
mariadb.configDatabase configurationobjectSee nested values
mariadb.enabledEnable internal MariaDB instance Set to false to use external databasebooltrue
mariadb.extraEnvsAdditional environment variables for MariaDB containerlist[]
mariadb.imagePullSecretsImage pull secrets (overrides global setting)list[]
mariadb.nodeSelectorNode selector (overrides global setting)object{}
mariadb.persistencePersistent storage configurationobjectSee nested values
mariadb.pullPolicyConfiguration for pullPolicystring"IfNotPresent"
mariadb.repositoryContainer image configurationstring"docker.io/mariadb"
mariadb.tagConfiguration for tagstring"11"
mariadb.tolerationsTolerations (overrides global setting)list[]
mariadb.config.databaseBunkerWeb database namestring"db"
mariadb.config.passwordBunkerWeb database password SECURITY: Change this in production or use existingSecretstring"changeme"
mariadb.config.randomRootPasswordGenerate random root passwordstring"1"
mariadb.config.userBunkerWeb database userstring"bunkerweb"
mariadb.persistence.sizeStorage size for databasestring"5Gi"
mariadb.persistence.storageClassStorage class for database persistence Leave empty for default storage classstring""

redis

Cache and session storage for BunkerWeb

ParameterDescriptionTypeDefault
redisCache and session storage for BunkerWebobjectSee nested values
redis.configRedis configurationobjectSee nested values
redis.enabledEnable internal Redis instance Set to false to use external Redisbooltrue
redis.extraEnvsAdditional environment variables for Redis containerlist[]
redis.imagePullSecretsImage pull secrets (overrides global setting)list[]
redis.nodeSelectorNode selector (overrides global setting)object{}
redis.persistencePersistent storage configurationobjectSee nested values
redis.pullPolicyConfiguration for pullPolicystring"IfNotPresent"
redis.repositoryContainer image configurationstring"docker.io/redis"
redis.tagConfiguration for tagstring"8-alpine"
redis.tolerationsTolerations (overrides global setting)list[]
redis.useConfigFileUse custom Redis configuration filebooltrue
redis.config.fileCustom Redis configuration Applied when useConfigFile is true Defaults follow the BunkerWeb Redis Be...string"appendonly yes; save 60 1000; loglevel verbose; maxmemory 512mb; maxmemory-policy volatile-lru"
redis.config.passwordRedis authentication password SECURITY: Change this in production or use existingSecretstring"changeme"
redis.persistence.sizeStorage size for Redis datastring"1Gi"
redis.persistence.storageClassStorage class for Redis persistence Leave empty for default storage classstring""

grafana

Dashboards and visualization

ParameterDescriptionTypeDefault
grafanaDashboards and visualizationobjectSee nested values
grafana.adminPasswordAdmin password (leave empty to generate random) SECURITY: Set a strong password or use existingSecre...string""
grafana.adminUserAdmin user configurationstring"admin"
grafana.enabledEnable Grafana for dashboardsboolfalse
grafana.existingSecretUse existing secret for admin password Secret should contain 'admin-password' key existingSecret: "g...string""
grafana.extraEnvsAdditional environment variables (missing from values.yaml)list[]
grafana.ingressIngress configuration for external accessobjectSee nested values
grafana.persistencePersistent storage configurationobjectSee nested values
grafana.podAnnotationsAdditional pod annotationsobject{}
grafana.podLabelsAdditional pod labelsobject{}
grafana.prometheusDatasourcePrometheus data source configuration Automatically configured when Prometheus is enabledobjectSee nested values
grafana.pullPolicyConfiguration for pullPolicystring"IfNotPresent"
grafana.replicasNumber of Grafana replicasint1
grafana.repositoryContainer image configurationstring"docker.io/grafana/grafana"
grafana.securityContextSecurity context for Grafanaobject{}
grafana.serviceService configurationobjectSee nested values
grafana.tagConfiguration for tagstring"latest"
grafana.ingress.enabledConfiguration for enabledboolfalse
grafana.persistence.accessModesAccess modes for the persistent volumelist['ReadWriteOnce']
grafana.persistence.enabledConfiguration for enabledboolfalse
grafana.persistence.sizeConfiguration for sizestring"10Gi"
grafana.persistence.storageClassStorage class for dashboard persistencestring""
grafana.prometheusDatasource.accessConfiguration for accessstring"proxy"
grafana.prometheusDatasource.isDefaultConfiguration for isDefaultbooltrue
grafana.prometheusDatasource.nameConfiguration for namestring"Prometheus"
grafana.prometheusDatasource.typeConfiguration for typestring"prometheus"
grafana.prometheusDatasource.urlConfiguration for urlstring"http://prometheus-{{ include "bunkerweb.fullname" . }}.{{ include "bunkerweb.namespace" . }}.svc:9090"
grafana.service.portConfiguration for portint3000
grafana.service.typeConfiguration for typestring"ClusterIP"

prometheus

Metrics collection and storage

ParameterDescriptionTypeDefault
prometheusMetrics collection and storageobjectSee nested values
prometheus.enabledEnable Prometheus for metrics collection Requires BunkerWeb PRO for advanced metricsboolfalse
prometheus.persistencePersistent storage configurationobjectSee nested values
prometheus.podAnnotationsAdditional pod annotationsobject{}
prometheus.podLabelsAdditional pod labelsobject{}
prometheus.pullPolicyConfiguration for pullPolicystring"IfNotPresent"
prometheus.replicasNumber of Prometheus replicasint1
prometheus.repositoryContainer image configurationstring"docker.io/prom/prometheus"
prometheus.securityContextSecurity context for PrometheusobjectSee nested values
prometheus.tagConfiguration for tagstring"v3.3.1"
prometheus.persistence.accessModesAccess modes for the persistent volumelist['ReadWriteOnce']
prometheus.persistence.enabledEnable persistent storagebooltrue
prometheus.persistence.sizeStorage size for metrics datastring"8Gi"
prometheus.persistence.storageClassStorage class for metrics persistencestring""
prometheus.securityContext.fsGroupConfiguration for fsGroupint65534

api

External API for BunkerWeb that exposes REST interface for automation tools

ParameterDescriptionTypeDefault
apiExternal API for BunkerWeb that exposes REST interface for automation toolsobjectSee nested values
api.enabledEnable the external API NOTE: the BunkerWeb API refuses to start without authentication, so when thi...boolfalse
api.extraEnvsAdditional environment variableslist[]
api.imagePullSecretsImage pull secrets (overrides global setting)list[]
api.livenessProbeLiveness probe configurationobjectSee nested values
api.nodeSelectorNode selector (overrides global setting)object{}
api.podAnnotationsAdditional pod annotationsobject{}
api.podLabelsAdditional pod labelsobject{}
api.pullPolicyConfiguration for pullPolicystring"IfNotPresent"
api.repositoryContainer image configuration Also available at ghcr.io/bunkerity/bunkerweb-apistring"docker.io/bunkerity/bunkerweb-api"
api.securityContextSecurity context for API containerobjectSee nested values
api.tagConfiguration for tagstring"1.6.12"
api.tolerationsTolerations (overrides global setting)list[]
api.livenessProbe.execConfiguration for execobjectSee nested values
api.livenessProbe.failureThresholdConfiguration for failureThresholdint3
api.livenessProbe.initialDelaySecondsConfiguration for initialDelaySecondsint30
api.livenessProbe.periodSecondsConfiguration for periodSecondsint5
api.livenessProbe.timeoutSecondsConfiguration for timeoutSecondsint1
api.securityContext.allowPrivilegeEscalationConfiguration for allowPrivilegeEscalationboolfalse
api.securityContext.capabilitiesConfiguration for capabilitiesobjectSee nested values
api.securityContext.runAsGroupConfiguration for runAsGroupint101
api.securityContext.runAsUserConfiguration for runAsUserint101
api.livenessProbe.exec.commandConfiguration for commandlist['/usr/share/bunkerweb/helpers/healthcheck-api.sh']
api.securityContext.capabilities.dropConfiguration for droplist['ALL']

gatewayClass

Kubernetes GatewayClass resource for BunkerWeb

ParameterDescriptionTypeDefault
gatewayClassKubernetes GatewayClass resource for BunkerWebobjectSee nested values
gatewayClass.controllerController identifier for this GatewayClassstring"bunkerweb.io/gateway-controller"
gatewayClass.enabledCreate GatewayClass resource Requires Kubernetes Gateway API CRDs to be installed in the cluster: ht...boolfalse
gatewayClass.nameGatewayClass name (used in gateway resources)string"bunkerweb"

ingressClass

Kubernetes IngressClass resource for BunkerWeb

ParameterDescriptionTypeDefault
ingressClassKubernetes IngressClass resource for BunkerWebobjectSee nested values
ingressClass.controllerController identifier for this IngressClassstring"bunkerweb.io/ingress-controller"
ingressClass.enabledCreate IngressClass resourcebooltrue
ingressClass.nameIngressClass name (used in Ingress resources)string"bunkerweb"

mcp

Model Context Protocol (MCP) server for BunkerWeb Requires BunkerWeb API component to be enabled

ParameterDescriptionTypeDefault
mcpModel Context Protocol (MCP) server for BunkerWeb Requires BunkerWeb API component to be enabledobjectSee nested values
mcp.configConfiguration for configobjectSee nested values
mcp.enabledEnable the BunkerWeb MCP serverboolfalse
mcp.extraEnvsAdditional environment variableslist[]
mcp.httpRoutesAlternative to Ingress for Kubernetes Gateway APIobjectSee nested values
mcp.imagePullSecretsImage pull secrets (overrides global setting)list[]
mcp.ingressConfiguration for ingressobjectSee nested values
mcp.nodeSelectorNode selector (overrides global setting)object{}
mcp.podAnnotationsAdditional pod annotationsobject{}
mcp.podLabelsAdditional pod labelsobject{}
mcp.pullPolicyConfiguration for pullPolicystring"IfNotPresent"
mcp.replicasNumber of replicasint1
mcp.repositoryContainer image configurationstring"docker.io/bunkerity/bunkerweb-mcp"
mcp.secretsConfiguration for secretsobjectSee nested values
mcp.securityContextSecurity context for MCP containerobjectSee nested values
mcp.serviceConfiguration for serviceobjectSee nested values
mcp.serviceMonitorConfiguration for serviceMonitorobjectSee nested values
mcp.tagConfiguration for tagstring"0.1.0"
mcp.terminationGracePeriodSecondsTermination grace periodint30
mcp.tolerationsTolerations (overrides global setting)list[]
mcp.config.allowedHostsAllowed hosts (auto-configured based on service names if empty)string""
mcp.config.allowedOriginsAllowed origins for CORSstring""
mcp.config.bunkerwebBaseUrlBunkerWeb API Configuration Base URL will be auto-configured to use internal API service if emptystring""
mcp.config.bunkerwebMaxRetriesConfiguration for bunkerwebMaxRetriesstring"3"
mcp.config.bunkerwebRequestTimeoutSecondsConfiguration for bunkerwebRequestTimeoutSecondsstring"30"
mcp.config.bunkerwebRetryBackoffInitialConfiguration for bunkerwebRetryBackoffInitialstring"0.5"
mcp.config.bunkerwebRetryBackoffMaxConfiguration for bunkerwebRetryBackoffMaxstring"5"
mcp.config.cacheEnabledConfiguration for cacheEnabledstring"true"
mcp.config.enableDnsRebindingProtectionMCP Transport Security (DNS Rebinding Protection)string"false"
mcp.config.logLevelLoggingstring"INFO"
mcp.config.rateLimitEnabledPerformance Configurationstring"false"
mcp.config.rateLimitRpcConfiguration for rateLimitRpcstring"100/minute"
mcp.config.rateLimitToolsConfiguration for rateLimitToolsstring"30/minute"
mcp.config.rateLimitWsConfiguration for rateLimitWsstring"500/minute"
mcp.config.searchApiUrlConfiguration for searchApiUrlstring""
mcp.config.searchModeSemantic Search Configuration Released in the future, currently non-functionalstring"disabled"
mcp.config.searchTimeoutConfiguration for searchTimeoutstring"10.0"
mcp.config.workersNumber of workers for the MCP serverstring"4"
mcp.httpRoutes.enabledEnable HTTPRoute for external access WARNING: The MCP server has no built-in authentication for the ...boolfalse
mcp.httpRoutes.extraAnnotationsAdditional annotations for the HTTPRoute resource SECURITY: Configure whitelist to restrict access t...mixedNone
mcp.httpRoutes.gatewayClassNameGatewayClass name to usestring""
mcp.httpRoutes.serverNameDomain name for MCP accessstring""
mcp.httpRoutes.serverPathPath for MCP accessstring"/"
mcp.httpRoutes.tlsSecretNameWhitelist configuration (RECOMMENDED for MCP security) bunkerweb.io/USE_WHITELIST: "yes" bunkerweb.i...string""
mcp.ingress.annotationsAdditional annotations for the Ingress resource SECURITY: Configure whitelist to restrict access to ...objectSee nested values
mcp.ingress.enabledEnable ingress for external access WARNING: The MCP server has no built-in authentication for the /m...boolfalse
mcp.ingress.ingressClassNameIngressClass name to usestring"bunkerweb"
mcp.ingress.serverNameDomain name for MCP accessstring""
mcp.ingress.serverPathPath for MCP accessstring"/"
mcp.ingress.tlsWhitelist configuration (RECOMMENDED for MCP security) Uncomment and configure to restrict access to...objectSee nested values
mcp.secrets.bunkerwebApiTokenBunkerWeb API Bearer Token (if not using existingSecret) Leave empty to use basic auth insteadstring""
mcp.secrets.bunkerwebBasicPasswordConfiguration for bunkerwebBasicPasswordstring""
mcp.secrets.bunkerwebBasicUsernameBunkerWeb API Basic Auth (if not using existingSecret or token)string""
mcp.secrets.existingSecretUse existing secret for sensitive data If set, the following keys should be present: - BUNKERWEB_API...string""
mcp.secrets.websocketTokenWebSocket authentication token (optional)string""
mcp.securityContext.allowPrivilegeEscalationConfiguration for allowPrivilegeEscalationboolfalse
mcp.securityContext.capabilitiesConfiguration for capabilitiesobjectSee nested values
mcp.securityContext.runAsGroupConfiguration for runAsGroupint1000
mcp.securityContext.runAsUserConfiguration for runAsUserint1000
mcp.service.annotationsAdditional service annotationsobject{}
mcp.service.portService portint8080
mcp.service.typeService type: ClusterIP, NodePort, or LoadBalancerstring"ClusterIP"
mcp.serviceMonitor.enabledEnable ServiceMonitor for Prometheus Operatorboolfalse
mcp.serviceMonitor.intervalScrape intervalstring"30s"
mcp.serviceMonitor.labelsAdditional labels for ServiceMonitorobject{}
mcp.serviceMonitor.scrapeTimeoutScrape timeoutstring"10s"
mcp.ingress.annotations.bunkerweb.io/AUTO_LETS_ENCRYPTConfiguration for bunkerweb.io/AUTO_LETS_ENCRYPTstring"yes"
mcp.ingress.annotations.bunkerweb.io/REVERSE_PROXY_HOSTConfiguration for bunkerweb.io/REVERSE_PROXY_HOSTstring"http://mcp-bunkerweb.bunkerweb.svc.cluster.local:8080"
mcp.ingress.annotations.bunkerweb.io/REVERSE_PROXY_URLConfiguration for bunkerweb.io/REVERSE_PROXY_URLstring"/"
mcp.ingress.annotations.bunkerweb.io/USE_REVERSE_PROXYConfiguration for bunkerweb.io/USE_REVERSE_PROXYstring"yes"
mcp.ingress.tls.enabledConfiguration for enabledboolfalse
mcp.ingress.tls.secretNameSecret name containing TLS certificatestring""
mcp.securityContext.capabilities.dropConfiguration for droplist['ALL']

networkPolicy

Network policies for micro-segmentation

ParameterDescriptionTypeDefault
networkPolicyNetwork policies for micro-segmentationobjectSee nested values
networkPolicy.egressEgress traffic configurationobjectSee nested values
networkPolicy.enabledEnable network policies for enhanced security Requires a CNI that supports NetworkPolicies (e.g., Ca...boolfalse
networkPolicy.egress.allowDatabaseVNetAllow access to database virtual networkbooltrue
networkPolicy.egress.allowInternetAllow internet access for updates and external APIsbooltrue
networkPolicy.egress.allowSameNamespaceAllow traffic to pods in the same namespacebooltrue
networkPolicy.egress.databasePortDatabase port for accessint3306
networkPolicy.egress.databaseVNetCIDRCIDR range for database networkstring"10.0.0.0/16"
networkPolicy.egress.internetPortsPorts allowed for internet accesslist[80, 443]

service

External service for BunkerWeb (LoadBalancer/NodePort)

ParameterDescriptionTypeDefault
serviceExternal service for BunkerWeb (LoadBalancer/NodePort)objectSee nested values
service.annotationsAdditional service annotationsobject{}
service.enabledEnable external service creationbooltrue
service.externalTrafficPolicyExternal traffic policy: Local or Cluster Local: Preserves client IP but may cause uneven distributi...string"Local"
service.typeService type: LoadBalancer, NodePort, or ClusterIP LoadBalancer: Exposes service externally using cl...string"LoadBalancer"

settings

Configuration for BunkerWeb behavior in Kubernetes environment

ParameterDescriptionTypeDefault
settingsConfiguration for BunkerWeb behavior in Kubernetes environmentobjectSee nested values
settings.apiConfiguration for apiobjectSee nested values
settings.existingSecretSpecify the name of an existing secret containing sensitive parameters. When using this, the followi...string""
settings.kubernetesConfiguration for kubernetesobjectSee nested values
settings.miscConfiguration for miscobjectSee nested values
settings.redisConfiguration for redisobjectSee nested values
settings.uiConfiguration for uiobjectSee nested values
settings.api.allowedHostsHost header allowlist (defense in depth), space or comma separated Wildcards must look like "*.examp...string""
settings.api.apiAclBootstrapFileOR/AND ConfigMap name that includes ACL based JSON File https://docs.bunkerweb.io/latest/api/#permis...string""
settings.api.docsUrlURL for API documentation, set to an empty value to disablestring"/docs"
settings.api.forwardedAllowIpsForwarded allow IPs for correct client IP detectionstring"*"
settings.api.httpRoutesif using new Gateway API integration instead of ingress resources HTTP routes configuration for API ...objectSee nested values
settings.api.ingressIngress configuration for API accessobjectSee nested values
settings.api.maxRequestsMax requests before Gunicorn worker restartstring""
settings.api.openApiUrlURL for OpenAPI specification, set to an empty value to disablestring"/openapi.json"
settings.api.rateLimitRate limiting configuration for API access https://docs.bunkerweb.io/latest/api/#rate-limitingobjectSee nested values
settings.api.redocUrlURL for ReDoc API documentation, set to an empty value to disablestring"/redoc"
settings.api.rootPathAPI Configuration https://docs.bunkerweb.io/latest/api/#configuration Root path for the APIstring""
settings.api.useBearerTokenAuthentication settings https://docs.bunkerweb.io/latest/api/#authentication Choose at least one met...objectSee nested values
settings.api.useUserPassUsername and PasswordobjectSee nested values
settings.api.whitelistWhitelist configuration for API accessobjectSee nested values
settings.kubernetes.domainNameKubernetes cluster domain name for service discoverystring"cluster.local"
settings.kubernetes.gatewayApiVersionGateway API version when gatewayClass.enabled=true (v1, v1beta1, v1beta2, v1alpha2, v1alpha1) Empty ...string""
settings.kubernetes.ignoreAnnotationsAnnotations to be ignored by bunkerweb-controller when multiple ingress controllers (comma-separated...string""
settings.kubernetes.ingressClassIngress class name that BunkerWeb will handle Must match the IngressClass resource namestring""
settings.kubernetes.namespacesSpace-separated list of namespaces to monitor for Ingress resources Empty string means all namespace...string""
settings.kubernetes.serviceProtocolProtocol used by the controller when reaching BunkerWeb services ("http" or "https") Empty string fa...string""
settings.kubernetes.sslCaCertPath inside the controller container to a custom CA bundle for the Kubernetes API. The bundle MUST b...string""
settings.kubernetes.useFqdnUse Pod FQDN instead of Pod IP as upstream hostname ("yes" or "no", upstream default "yes")string""
settings.kubernetes.verifySslVerify the Kubernetes API server TLS certificate ("yes" or "no", upstream default "yes") Set to "no"...string""
settings.misc.apiWhitelistIpIP ranges allowed to access BunkerWeb API (space-separated CIDR blocks) Includes common Kubernetes a...string"127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16"
settings.misc.databaseUriDatabase connection URI (auto-generated if using internal MariaDB) Format: mysql+pymysql://user:pass...string""
settings.misc.dnsResolversDNS resolvers for BunkerWeb (space-separated) Default uses CoreDNS service in kube-system namespacestring"coredns.kube-system.svc.cluster.local"
settings.redis.redisDatabaseRedis database number, 0-15 (upstream default 0 when left empty)string""
settings.redis.redisHostRedis hostname (auto-configured if using internal Redis). Leave empty when using Sentinel: the maste...string""
settings.redis.redisPasswordConfiguration for redisPasswordstring""
settings.redis.redisPortRedis port (upstream default 6379 when left empty)string""
settings.redis.redisSentinelHostsWhen redisSentinelHosts is set, BunkerWeb resolves the master through the Sentinels and redisHost is...string""
settings.redis.redisSentinelMasterName of the monitored master (e.g. "mymaster")string""
settings.redis.redisSentinelPasswordSentinel password (only if your Sentinels require auth)string""
settings.redis.redisSentinelUsernameSentinel username (only if your Sentinels require auth)string""
settings.redis.redisSslEnable SSL/TLS to the Redis server ("yes"/"no", leave empty for upstream default)string""
settings.redis.redisSslVerifyVerify the Redis server SSL certificate ("yes"/"no", leave empty for upstream default)string""
settings.redis.redisTimeoutConnection timeout in milliseconds (upstream default 1000 when left empty)string""
settings.redis.redisUsernameRedis authentication (leave empty if not using auth)string""
settings.redis.useRedisEnable Redis for caching and persistence Recommended for production environmentsstring"yes"
settings.ui.adminPasswordConfiguration for adminPasswordstring""
settings.ui.adminUsernameUI authentication settingsstring""
settings.ui.allowedHostsHost header allowlist (defense in depth), space or comma separated Wildcards like "*.example.com" ar...string""
settings.ui.flaskSecretFlask session secret (auto-generated if empty)string""
settings.ui.httpRoutesif using new Gateway API integration instead of ingress resources HTTP routes configuration for UI a...objectSee nested values
settings.ui.ingressIngress configuration for UI accessobjectSee nested values
settings.ui.maxContentLengthMaximum upload size in bytes (default: 50MB)string""
settings.ui.maxRequestsMax requests before Gunicorn worker restartstring""
settings.ui.overrideAdminCredsOverride admin credentials on startup Set to "yes" to reset admin credentials to the values abovestring"no"
settings.ui.sessionAbsoluteHoursAbsolute session cap in hours regardless of activity Empty string falls back to upstream default (16...string""
settings.ui.sessionLifetimeHoursIdle session lifetime in hours (sliding TTL, refreshed on every request) Empty string falls back to ...string""
settings.ui.sessionRollingHoursSession ID rotation interval in hours (0 disables rotation) Empty string falls back to upstream defa...string""
settings.ui.totpSecretsTOTP secrets for two-factor authenticationstring""
settings.ui.wizardEnable the setup wizard on first launchbooltrue
settings.api.httpRoutes.enabledEnable HTTP routes for API accessboolfalse
settings.api.httpRoutes.extraAnnotationsAdditional annotations for the Ingress resourceobject{}
settings.api.httpRoutes.gatewayClassNameGatewayClass name to usestring""
settings.api.httpRoutes.serverNameDomain name for API accessstring""
settings.api.httpRoutes.serverPathPath for API accessstring"/admin"
settings.api.httpRoutes.tlsSecretNameSecret name containing TLS certificate Leave empty to disable HTTPSstring""
settings.api.ingress.enabledSet to true to create an Ingress resource for the APIboolfalse
settings.api.ingress.extraAnnotationsAdditional annotations for the Ingress resourceobject{}
settings.api.ingress.ingressClassNameIngressClass name to usestring""
settings.api.ingress.serverNameDomain name for API accessstring""
settings.api.ingress.serverPathPath for API access (usually "/")string"/"
settings.api.ingress.tlsSecretNameSecret name containing TLS certificate Leave empty to disable HTTPSstring""
settings.api.rateLimit.defaultsRate limit per period, Supported formats: "[10/seconde]", "[100/minute]", "[1000/day]" https://limit...list['100/minute']
settings.api.rateLimit.enabledEnable request rate limitingboolfalse
settings.api.rateLimit.strategyStrategy: "fixed-window" or "moving-window" or "sliding-window" https://limits.readthedocs.io/en/sta...string"fixed-window"
settings.api.useBearerToken.fromExistingSecretIf true, the token is read from settings.existingSecret. The auth guard only checks that existingSec...boolfalse
settings.api.useBearerToken.tokenIf not using existingSecret, set the token herestring""
settings.api.useUserPass.apiPasswordConfiguration for apiPasswordstring""
settings.api.useUserPass.apiUsernameIf not using existingSecret, set the credentials herestring""
settings.api.useUserPass.fromExistingSecretIf true, credentials are read from settings.existingSecret. The guard only checks that existingSecre...boolfalse
settings.api.whitelist.enabledEnable API whitelist functionalitybooltrue
settings.api.whitelist.whitelistIpsspace-separated list of IPs/CIDR allowed to access the APIstring"10.0.0.0/8 127.0.0.1/32 127.0.0.0/8"
settings.ui.httpRoutes.enabledEnable HTTP routes for UI accessboolfalse
settings.ui.httpRoutes.extraAnnotationsAdditional annotations for the httpRoute resourceobject{}
settings.ui.httpRoutes.gatewayClassNameGatewayClass name to usestring""
settings.ui.httpRoutes.serverNameDomain name for UI accessstring""
settings.ui.httpRoutes.serverPathPath for UI accessstring"/"
settings.ui.httpRoutes.tlsSecretNameSecret name containing TLS certificate Leave empty to disable HTTPSstring""
settings.ui.ingress.enabledSet to true to create an Ingress resource for the UIboolfalse
settings.ui.ingress.extraAnnotationsAdditional annotations for the Ingress resourceobject{}
settings.ui.ingress.ingressClassNameIngressClass name to usestring""
settings.ui.ingress.serverNameDomain name for UI accessstring""
settings.ui.ingress.serverPathPath for UI access (usually "/")string"/"
settings.ui.ingress.tlsSecretNameSecret name containing TLS certificate Leave empty to disable HTTPSstring""