Merge pull request #298379 from anlandu/patch-11

prmerger-automator[bot] · web-flow · commit 91d48c25ac8b · 2025-04-17T21:18:06.000Z
Update general.md and policy-for-kubernetes.md
diff --git a/articles/governance/policy/concepts/policy-for-kubernetes.md b/articles/governance/policy/concepts/policy-for-kubernetes.md
@@ -21,6 +21,8 @@ Azure Policy for Kubernetes supports the following cluster environments:
 > [!IMPORTANT]
 > The Azure Policy Add-on Helm model and the add-on for AKS Engine have been _deprecated_. Follow the instructions to [remove the add-ons](#remove-the-add-on).
 
+> [!IMPORTANT]
+> Installations of Gatekeeper outside of the Azure Policy Add-on aren't supported. Uninstall any components installed by a previous Gatekeeper installation before enabling the Azure Policy Add-on.
 ## Overview
 
 By installing Azure Policy's add-on or extension on your Kubernetes clusters, Azure Policy enacts the following functions:
@@ -785,7 +787,6 @@ aligns with how the add-on was installed:
   - Maximum number of pods supported by the Azure Policy Add-on per cluster: **10,000**
   - Maximum number of Non-compliant records per policy per cluster: **500**
   - Maximum number of Non-compliant records per subscription: **1 million**
-  - Installations of Gatekeeper outside of the Azure Policy Add-on aren't supported. Uninstall any components installed by a previous Gatekeeper installation before enabling the Azure Policy Add-on.
   - [Reasons for non-compliance](../how-to/determine-non-compliance.md#compliance-reasons) aren't available for the Microsoft.Kubernetes.Data [Resource Provider mode](./definition-structure-basics.md#resource-provider-modes). Use [Component details](../how-to/determine-non-compliance.md#component-details-for-resource-provider-modes).
  - Component-level [exemptions](./exemption-structure.md) aren't supported for [Resource Provider modes](./definition-structure-basics.md#resource-provider-modes). Parameters support is available  in Azure Policy definitions to exclude and include particular namespaces.
  - Using the `metadata.gatekeeper.sh/requires-sync-data` annotation in a constraint template to configure the [replication of data](https://open-policy-agent.github.io/gatekeeper/website/docs/sync) from your cluster into the OPA cache is currently only allowed for built-in policies. The reason is because it can dramatically increase the Gatekeeper pods resource usage if not used carefully.
diff --git a/articles/governance/policy/troubleshoot/general.md b/articles/governance/policy/troubleshoot/general.md
@@ -366,6 +366,14 @@ The `regex.match` function in rego uses RE2, which is not the default flavor ser
 
 You will need to select the RE2 or golang flavor of regex in your matcher. See [the rego docs](https://docs.styra.com/opa/rego-by-example/builtins/regex/match) for more details on the RE2 flavor and what online tooling is recommended to test your regex.
 
+### Scenario: I'm seeing a large number of updates on constraint.gatekeeper.sh CRDs and other Gatekeeper resources
+
+#### Cause
+This is caused by a standalone instance of Gatekeeper being installed alongside the addon's Gatekeeper instance.
+
+#### Resolution
+Check for the existence of multiple Gatekeeper installations. Remove all Gatekeeper components not managed by AKS.
+
 ## Next steps
 
 If your problem isn't listed in this article or you can't resolve it, get support by visiting one of the following channels:
