Merge pull request #184344 from nehakulkarni123/patch-8

Updated to reflect fail close model

Author: PRMerger16

articles/governance/policy/troubleshoot/general.md

@@ -437,6 +437,22 @@ $def = Get-AzPolicyDefinition -id '/providers/Microsoft.Authorization/policyDefi
 New-AzPolicyDefinition -name (new-guid).guid -DisplayName "$($def.DisplayName) (Copy)" -Description $def.Description -Metadata ($def.Metadata | convertto-json) -Parameter ($def.Parameters | convertto-json) -Policy ($def.PolicyRule | convertto-json -depth 15)
 ```
 
+### Scenario: Kubernetes resource gets created during connectivity failure despite deny policy being assigned
+
+#### Issue
+
+In the event of a Kubernetes cluster connectivity failure, evaluation for newly created or updated resources may be bypassed due to Gatekeeper's fail-open behavior.
+ 
+#### Cause
+
+The GK fail-open model is by design and based on community feedback. Gatekeeper documentation expands on these reasons here: https://open-policy-agent.github.io/gatekeeper/website/docs/failing-closed#considerations.
+
+#### Resolution
+
+In the above event, the error case can be monitored from the [admission webhook metrics](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#admission-webhook-metrics) provided by the kube-apiserver. And even if evaluation is bypassed at creation time and an object is created, it will still be reported on Azure Policy compliance as non-compliant as a flag to customers.
+
+Regardless of the above, in such a scenario, Azure policy will still retain the last known policy on the cluster and keep the guardrails in place. 
+
 ## Next steps
 
 If your problem isn't listed in this article or you can't resolve it, get support by visiting one of