Documents limitation on policy enforcement

crdant · web-flow · commit 44d966cf965e · 2024-11-04T12:28:38.000-05:00
This change documents that Embedded Cluster does not support enforcing policy on the workloads run by the embedded cluster. This may not be a common use case, so it may not make sense to add this change. I'm suggesting it and asking @ajp-io and @chris-sanders to take a look.
diff --git a/docs/vendor/embedded-overview.mdx b/docs/vendor/embedded-overview.mdx
@@ -75,6 +75,8 @@ Embedded Cluster has the following limitations:
 
 * **Templating not supported in Embedded Cluster Config**: The [Embedded Cluster Config](/reference/embedded-config) resource does not support the use of Go template functions, including [KOTS template functions](/reference/template-functions-about).
 
+* **Policy enforcement on Embedded Cluster workloads is not supported**: The Embedded Cluster runs workloads that required higher levels of privilege. If you application installs a policy enforcement engine such as Gatekeeper or Kyverno it should not enforce policy in the namespaces used by the embedded cluster.
+
 ## Quick Start
 
 You can use the following steps to get started quickly with Embedded Cluster. More detailed documentation is available below.
@@ -372,4 +374,4 @@ toolkit:
 
 <SupportBundleIntro/>
 
-<EmbeddedClusterSupportBundle/>
+<EmbeddedClusterSupportBundle/>
