From 44d966cf965e7479218b6d2c98c4f89e805861b0 Mon Sep 17 00:00:00 2001 From: Chuck D'Antonio Date: Mon, 4 Nov 2024 12:28:38 -0500 Subject: [PATCH 1/4] Documents limitation on policy enforcement This change documents that Embedded Cluster does not support enforcing policy on the workloads run by the embedded cluster. This may not be a common use case, so it may not make sense to add this change. I'm suggesting it and asking @ajp-io and @chris-sanders to take a look. --- docs/vendor/embedded-overview.mdx | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/vendor/embedded-overview.mdx b/docs/vendor/embedded-overview.mdx index 1b6399c49a..1c4215665f 100644 --- a/docs/vendor/embedded-overview.mdx +++ b/docs/vendor/embedded-overview.mdx @@ -75,6 +75,8 @@ Embedded Cluster has the following limitations: * **Templating not supported in Embedded Cluster Config**: The [Embedded Cluster Config](/reference/embedded-config) resource does not support the use of Go template functions, including [KOTS template functions](/reference/template-functions-about). +* **Policy enforcement on Embedded Cluster workloads is not supported**: The Embedded Cluster runs workloads that required higher levels of privilege. If you application installs a policy enforcement engine such as Gatekeeper or Kyverno it should not enforce policy in the namespaces used by the embedded cluster. + ## Quick Start You can use the following steps to get started quickly with Embedded Cluster. More detailed documentation is available below. @@ -372,4 +374,4 @@ toolkit: - \ No newline at end of file + From c635f4c271f3a56620c6e27c6e7449426f9a8f83 Mon Sep 17 00:00:00 2001 From: Paige Calvert Date: Mon, 4 Nov 2024 10:54:39 -0700 Subject: [PATCH 2/4] Update embedded-overview.mdx --- docs/vendor/embedded-overview.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/vendor/embedded-overview.mdx b/docs/vendor/embedded-overview.mdx index 1c4215665f..396706fb32 100644 --- a/docs/vendor/embedded-overview.mdx +++ b/docs/vendor/embedded-overview.mdx @@ -75,7 +75,7 @@ Embedded Cluster has the following limitations: * **Templating not supported in Embedded Cluster Config**: The [Embedded Cluster Config](/reference/embedded-config) resource does not support the use of Go template functions, including [KOTS template functions](/reference/template-functions-about). -* **Policy enforcement on Embedded Cluster workloads is not supported**: The Embedded Cluster runs workloads that required higher levels of privilege. If you application installs a policy enforcement engine such as Gatekeeper or Kyverno it should not enforce policy in the namespaces used by the embedded cluster. +* **Policy enforcement on Embedded Cluster workloads is not supported**: The Embedded Cluster runs workloads that require higher levels of privilege. If your application installs a policy enforcement engine such as Gatekeeper or Kyverno, ensure that your application does not enforce the policy in the namespaces used by Embedded Cluster. ## Quick Start From 528159155833fee810bb507d72cb1f2ffc1c8c22 Mon Sep 17 00:00:00 2001 From: Paige Calvert Date: Mon, 4 Nov 2024 13:29:56 -0700 Subject: [PATCH 3/4] Update embedded-overview.mdx --- docs/vendor/embedded-overview.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/vendor/embedded-overview.mdx b/docs/vendor/embedded-overview.mdx index 396706fb32..a913ed2e8e 100644 --- a/docs/vendor/embedded-overview.mdx +++ b/docs/vendor/embedded-overview.mdx @@ -75,7 +75,7 @@ Embedded Cluster has the following limitations: * **Templating not supported in Embedded Cluster Config**: The [Embedded Cluster Config](/reference/embedded-config) resource does not support the use of Go template functions, including [KOTS template functions](/reference/template-functions-about). -* **Policy enforcement on Embedded Cluster workloads is not supported**: The Embedded Cluster runs workloads that require higher levels of privilege. If your application installs a policy enforcement engine such as Gatekeeper or Kyverno, ensure that your application does not enforce the policy in the namespaces used by Embedded Cluster. +* **Policy enforcement on Embedded Cluster workloads is not supported**: The Embedded Cluster runs workloads that require higher levels of privilege. If your application installs a policy enforcement engine such as Gatekeeper or Kyverno, ensure that the policy is not enforced in the namespaces used by Embedded Cluster. ## Quick Start From c116fa6888e739a5f0acc7b62820be2b170c2272 Mon Sep 17 00:00:00 2001 From: Alex Parker <7272359+ajp-io@users.noreply.github.com> Date: Mon, 4 Nov 2024 15:33:23 -0500 Subject: [PATCH 4/4] Update embedded-overview.mdx --- docs/vendor/embedded-overview.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/vendor/embedded-overview.mdx b/docs/vendor/embedded-overview.mdx index a913ed2e8e..a1e9e0ab4f 100644 --- a/docs/vendor/embedded-overview.mdx +++ b/docs/vendor/embedded-overview.mdx @@ -75,7 +75,7 @@ Embedded Cluster has the following limitations: * **Templating not supported in Embedded Cluster Config**: The [Embedded Cluster Config](/reference/embedded-config) resource does not support the use of Go template functions, including [KOTS template functions](/reference/template-functions-about). -* **Policy enforcement on Embedded Cluster workloads is not supported**: The Embedded Cluster runs workloads that require higher levels of privilege. If your application installs a policy enforcement engine such as Gatekeeper or Kyverno, ensure that the policy is not enforced in the namespaces used by Embedded Cluster. +* **Policy enforcement on Embedded Cluster workloads is not supported**: The Embedded Cluster runs workloads that require higher levels of privilege. If your application installs a policy enforcement engine such as Gatekeeper or Kyverno, ensure that its policies are not enforced in the namespaces used by Embedded Cluster. ## Quick Start