You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
|Disable the bypass annotations for the admission controller. The default value is `false`.
24
24
25
+
|`--admission-controller-enforcement`
26
+
|Valid values are `true` and `false`. The default value is `true`. When set to `true`, the admission controller enforces a policy and rejects the deployment or update attempt. When set to `false`, the admission controller does not enforce a policy and allows a deployment or update to the cluster that violates the policy conditions.
27
+
25
28
|`--admission-controller-enforce-on-creates`
26
-
|Dynamic enable for enforcing on object creation in the admission controller. The default value is `false`.
29
+
|This field is deprecated.
27
30
28
31
|`--admission-controller-enforce-on-updates`
29
-
|Enable dynamic enforcement of object updates in the admission controller. The default value is `false`.
32
+
|This field is deprecated.
33
+
34
+
|`--admission-controller-fail-on-error`
35
+
| Valid values are `true` and `false`. The default value is `false`. Determines the action that should occur when an error or timeout happens in the admission controller. When set to `true`, the admission controller does not allow a request to reach the API server, or fails closed. When set to `false`, the admission controller allows the request to reach the server, or fails open.
30
36
31
37
|`--admission-controller-listen-on-creates`
32
-
|Configure the admission controller webhook to listen to deployment creation. The default value is `false`.
38
+
|This field is deprecated.
33
39
34
40
|`--admission-controller-listen-on-updates`
35
-
|Configure the admission controller webhook to listen to deployment updates. The default value is `false`.
41
+
|This field is deprecated.
36
42
37
43
|`--admission-controller-scan-inline`
38
-
|Get scans inline when using the admission controller. The default value is `false`.
44
+
|This field is deprecated.
39
45
40
46
|`--admission-controller-timeout int32`
41
-
|Set the timeout in seconds for the admission controller. The default value is `3`.
47
+
|This field is deprecated.
42
48
43
49
|`--central string`
44
50
|Set the endpoint to which you want to connect Sensor. The default value is `central.stackrox:443`.
Copy file name to clipboardExpand all lines: modules/secured-cluster-configuration-options-operator.adoc
+11-14Lines changed: 11 additions & 14 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -33,19 +33,17 @@ To change the name, you must delete and re-create the object.
33
33
|===
34
34
| Parameter | Description
35
35
36
+
|`admissionControl.enforce`
37
+
| This parameter determines if admission controller enforcement is enabled on a cluster. For a new installation, the default value is `true.` For an update to an existing installation, the system checks the previous values for the admission controller parameters. If one of the `admissionControl.dynamic.enforceOnCreates` or `admissionControl.dynamic.enforceOnUpdates` parameters was set to `true` before the update, the value of this parameter is set to `true` with the update. If one of these parameters was set to `false`, the value is `false`.
38
+
36
39
| `admissionControl.listenOnCreates`
37
-
| Specify `true` to enable preventive policy enforcement for object creations.
38
-
The default value is `true`.
40
+
| This parameter is deprecated. Do not edit this parameter. If you edit this parameter, policy evaluation will not work as expected.
39
41
40
42
| `admissionControl.listenOnEvents`
41
-
| Specify `true` to enable monitoring and enforcement for Kubernetes events, such as `port-forward` and `exec` events.
42
-
It is used to control access to resources through the Kubernetes API.
43
-
The default value is `true`.
43
+
| This parameter is deprecated. Do not edit this parameter. If you edit this parameter, policy evaluation will not work as expected.
44
44
45
45
| `admissionControl.listenOnUpdates`
46
-
| Specify `true` to enable preventive policy enforcement for object updates.
47
-
It will not have any effect unless `Listen On Creates` is set to `true` as well.
48
-
The default value is `true`.
46
+
| This parameter is deprecated. Do not edit this parameter. If you edit this parameter, policy evaluation will not work as expected.
49
47
50
48
| `admissionControl.nodeSelector`
51
49
| If you want this component to only run on specific nodes, you can configure a node selector using this parameter.
@@ -69,17 +67,16 @@ a| Use one of the following values to configure the bypassing of admission contr
69
67
* `Disabled` to disable the ability to bypass admission controller enforcement for the secured cluster.
70
68
71
69
The default value is `BreakGlassAnnotation`.
70
+
//Changes needed?
72
71
73
72
| `admissionControl.contactImageScanners`
74
-
a| Use one of the following values to specify if the admission controller must connect to the image scanner:
75
-
76
-
* `ScanIfMissing` if the scan results for the image are missing.
77
-
* `DoNotScanInline` to skip scanning the image when processing the admission request.
73
+
| This field is deprecated.
78
74
79
-
The default value is `DoNotScanInline`.
75
+
|`admissionControl.failurePolicy`
76
+
| Determines the action that should occur when an error or timeout happens in the admission controller. You can configure if the admission controller should allow a request to reach the API server, or fail open; or to stop the request, or fail closed. The default value is `Ignore`, or fail open, and allows the request to reach the server. Setting the value to `closed` does not allow the request to reach the server.
80
77
81
78
| `admissionControl.timeoutSeconds`
82
-
| Use this parameter to specify the maximum number of seconds {product-title-short} must wait for an admission review before marking it as fail open. If the admission webhook does not receive information that it is requesting before the end of the timeout period, it fails, but in fail open status, it still allows the operation to succeed. For example, the admission controller would allow a deployment to be created even if a scan had timed out and {product-title-short} could not determine if the deployment violated a policy. Beginning in release 4.5, Red{nbsp}Hat reduced the default timeout setting for the {product-title-short} admission controller webhooks from 20 seconds to 10 seconds, resulting in an effective timeout of 12 seconds within the `ValidatingWebhookConfiguration`. This change does not negatively affect {ocp} users because {ocp} caps the timeout at 13 seconds.
79
+
| The maximum number of seconds {product-title-short} must wait for an admission review before marking it as failed. This option is not configurable and is set to 10 seconds. Do not edit this parameter. If you edit this parameter, policy evaluation will not work as expected.
@@ -146,42 +147,36 @@ If you specify it as `true`, no tolerations are applied, and the collector pods
146
147
| `collector.serviceTLS.key`
147
148
| The internal service-to-service TLS certificate key that Collector uses.
148
149
150
+
|`admissionControl.enforce`
151
+
| This parameter determines if admission controller enforcement is enabled when checking policies. For a new installation, the default value is `true.` For an update to an existing installation, the system checks the previous values for the admission controller parameters. If one of the `admissionControl.dynamic.enforceOnCreates` or `admissionControl.dynamic.enforceOnUpdates` parameters was set to `true` before the update, the value of this parameter is set to `true` with the update. If one of these parameters was set to `false`, the value is `false`.
152
+
153
+
|`admissionControl.failurePolicy`
154
+
| Determines the action that should occur when an error or timeout happens in the admission controller. You can configure if the admission controller should allow the request to reach the API server, or fail open; or to stop the request, or fail closed. The default value is `Ignore`, or fail open, and allows the request to reach the server. Setting the value to `closed` does not allow the request to reach the server.
155
+
149
156
| `admissionControl.listenOnCreates`
150
-
| This setting controls whether Kubernetes is configured to contact {product-title} with `AdmissionReview` requests for workload creation events.
157
+
| This parameter is deprecated. Do not edit this parameter. If you edit this parameter, policy evaluation will not work as expected.
151
158
152
159
| `admissionControl.listenOnUpdates`
153
-
| When you set this parameter as `false`, {product-title} creates the `ValidatingWebhookConfiguration` in a way that causes the Kubernetes API server not to send object update events.
154
-
Since the volume of object updates is usually higher than the object creates, leaving this as `false` limits the load on the admission control service and decreases the chances of a malfunctioning admission control service.
160
+
| This parameter is deprecated. Do not edit this parameter. If you edit this parameter, policy evaluation will not work as expected.
155
161
156
162
| `admissionControl.listenOnEvents`
157
-
| This setting controls whether the cluster is configured to contact {product-title} with `AdmissionReview` requests for Kubernetes `exec` and `portforward` events.
158
-
{product-title-short} does not support this feature on {ocp} 3.11.
163
+
| This parameter is deprecated. Do not edit this parameter. If you edit this parameter, policy evaluation will not work as expected.
159
164
160
165
| `admissionControl.dynamic.enforceOnCreates`
161
-
| This setting controls whether {product-title} evaluates policies;
162
-
if it is disabled, all AdmissionReview requests are automatically accepted.
166
+
| This parameter is deprecated. Do not edit this parameter. If you edit this parameter, policy evaluation will not work as expected.
163
167
164
168
| `admissionControl.dynamic.enforceOnUpdates`
165
-
| This setting controls the behavior of the admission control service.
166
-
You must specify `listenOnUpdates` as `true` for this to work.
169
+
| This parameter is deprecated. Do not edit this parameter. If you edit this parameter, policy evaluation will not work as expected.
167
170
168
171
| `admissionControl.dynamic.scanInline`
169
-
| If you set this option to `true`, the admission control service requests an image scan before making an admission decision.
170
-
Since image scans take several seconds, enable this option only if you can ensure that all images used in your cluster are scanned before deployment (for example, by a CI integration during image build).
171
-
This option corresponds to the *Contact image scanners* option in the {product-title-short} portal.
172
+
| This parameter is deprecated. Do not edit this parameter. If you edit this parameter, policy evaluation will not work as expected.
172
173
173
174
| `admissionControl.dynamic.disableBypass`
174
-
| Set it to `true` to disable bypassing the Admission controller.
175
+
| Set it to `true` to disable bypassing the Admission controller. The default value is `false`.
175
176
//TODO: Link to admission controller docs
176
177
177
178
| `admissionControl.dynamic.timeout`
178
-
| Use this parameter to specify the maximum number of seconds {product-title-short} must wait for an admission review before marking it as fail open. If the admission webhook does not receive information that it is requesting before the end of the timeout period, it fails, but in fail open status, it still allows the operation to succeed. For example, the admission controller would allow a deployment to be created even if a scan had timed out and {product-title-short} could not determine if the deployment violated a policy. Beginning in release 4.5, Red{nbsp}Hat reduced the default timeout setting for the {product-title-short} admission controller webhooks from 20 seconds to 10 seconds, resulting in an effective timeout of 12 seconds within the `ValidatingWebhookConfiguration`.
179
-
ifndef::kube[]
180
-
This change does not negatively affect {ocp} users because {ocp} caps the timeout at 13 seconds.
181
-
endif::kube[]
182
-
ifndef::openshift[]
183
-
For Kubernetes clusters, image scanning and pulling that are done as part of the webhook execution might require you to configure a longer timeout value.
184
-
endif::openshift[]
179
+
| The maximum number of seconds {product-title-short} must wait for an admission review before marking it as failed. This option is not configurable and is set to 10 seconds. Do not edit this parameter. If you edit this parameter, policy evaluation will not work as expected.
185
180
186
181
| `admissionControl.resources.requests.memory`
187
182
| The memory request for the Admission Control container. Use this parameter to override the default value.
0 commit comments