Use Tanzu Mission Control to specify the default settings for policies.
Tanzu Mission Control allows you set guardrails on various types of policies. Some of these policies are enforced using the OPA Gatekeeper open source package. These policies include security, image registry, mutation, and custom policies. When any one of these policies is created and applied to a cluster, Tanzu Mission Control installs OPA Gatekeeper on your cluster.
The Gatekeeper package contains various resources which Tanzu Mission Control configures with default values. The Settings tab of the Administration page in the Tanzu Mission Control console allows you to specify some of these default configuration values to suit the needs of your organization.
The following are some of the Gatekeeper configurations that can be changed:
- Configurations for Gatekeeper
controller-managerandauditdeployments:- You can update the number of replicas and CPU/Memory limits/requests.
- Validating webhook configuration installed by Gatekeeper:
- You can update the timeout value, rules value, and the failure policy that define which incoming requests should be validated.
Settings are applied in a hierachical manner with inheritance. The settings of the organization cascade down through cluster groups and clusters. When these are set at the higher level, such as the organization level, they can be overridden by editing at specific lower levels like clusters. As an organization administrator, you can change the settings at any level. To modify settings at the cluster group level, you must have clustergroup.admin permissions, and to modify settings at the cluster level, you must have cluster.admin permissions on the cluster.
- Note that these are sensitive settings. If set incorrectly, they can impact policies applied on the cluster and some policies could stop working as expected. Use this feature with caution.
