You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/governance/policy/concepts/policy-for-kubernetes.md
+2-5Lines changed: 2 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -21,6 +21,8 @@ Azure Policy for Kubernetes supports the following cluster environments:
21
21
> [!IMPORTANT]
22
22
> The Azure Policy Add-on Helm model and the add-on for AKS Engine have been _deprecated_. Follow the instructions to [remove the add-ons](#remove-the-add-on).
23
23
24
+
> [!IMPORTANT]
25
+
> Installations of Gatekeeper outside of the Azure Policy Add-on aren't supported. Uninstall any components installed by a previous Gatekeeper installation before enabling the Azure Policy Add-on.
24
26
## Overview
25
27
26
28
By installing Azure Policy's add-on or extension on your Kubernetes clusters, Azure Policy enacts the following functions:
@@ -785,7 +787,6 @@ aligns with how the add-on was installed:
785
787
- Maximum number of pods supported by the Azure Policy Add-on per cluster: **10,000**
786
788
- Maximum number of Non-compliant records per policy per cluster: **500**
787
789
- Maximum number of Non-compliant records per subscription: **1 million**
788
-
- Installations of Gatekeeper outside of the Azure Policy Add-on aren't supported. Uninstall any components installed by a previous Gatekeeper installation before enabling the Azure Policy Add-on.
789
790
- [Reasons for non-compliance](../how-to/determine-non-compliance.md#compliance-reasons) aren't available for the Microsoft.Kubernetes.Data [Resource Provider mode](./definition-structure-basics.md#resource-provider-modes). Use [Component details](../how-to/determine-non-compliance.md#component-details-for-resource-provider-modes).
790
791
- Component-level [exemptions](./exemption-structure.md) aren't supported for [Resource Provider modes](./definition-structure-basics.md#resource-provider-modes). Parameters support is available in Azure Policy definitions to exclude and include particular namespaces.
791
792
- Using the `metadata.gatekeeper.sh/requires-sync-data` annotation in a constraint template to configure the [replication of data](https://open-policy-agent.github.io/gatekeeper/website/docs/sync) from your cluster into the OPA cache is currently only allowed for built-in policies. The reason is because it can dramatically increase the Gatekeeper pods resource usage if not used carefully.
@@ -851,10 +852,6 @@ collected:
851
852
evaluation
852
853
- Number of Gatekeeper policy definitions not installed by Azure Policy Add-on
853
854
854
-
### Can I install Gatekeeper on its own alongside the policy addon?
855
-
856
-
This is not supported as the two Gatekeeper installations will have conflicting ownership over the same resources.
857
-
858
855
### What are general best practices to keep in mind when installing the Azure Policy Add-on?
859
856
860
857
- Use system node pool with `CriticalAddonsOnly` taint to schedule Gatekeeper pods. For more information, see [Using system node pools](/azure/aks/use-system-pools#system-and-user-node-pools).
0 commit comments