apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sAzureForbiddenSysctls metadata: name: psp-forbidden-sysctls spec: match: excludedNamespaces: {{ .Values.excludedNamespaces }} kinds: - apiGroups: [""] kinds: ["Pod"] parameters: forbiddenSysctls: {{ .Values.forbiddenSysctls }}