Skip to the content.

ORY Oathkeeper-maester Helm Chart

ORY Oathkeeper-maester is a Kubernetes controller that watches for instances of custom resource (CR) and creates or updates the Oathkeeper ConfigMap with Access Rules found in the CRs. The controller passes the Access Rules as an array in a format recognized by the Oathkeeper. By mounting the ConfigMap to the Oathkeeper Pod, you can manage the list of Oathkeeper Rules through CR instances.


Oathkeeper-maester is a part of the Oathkeeper chart, and it is installed together with it.


These are the most important configuration values used to control ConfigMap creation:

You can set the values in values.yaml file or using --set syntax of Helm during chart installation.

Custom Resource Syntax

ORY Maester introduces its own Custom Resource Definition (CRD) of type Each CR instance defines the rules for a single service.

The syntax of the CR Spec field reflects the Oathkeeper Access Rule syntax, with the following differences:

The JSON schema specified in the CRD provides definitions for all available attributes. All handlers such as authenticators, the authorizer, and the mutator are passed verbatim without any changes to the target Access Rules list.

The controller provides the following defaults for each Access Rule it creates:

These defaults implement a “disabled by default” policy for increased security.