Use Tanzu Mission Control to specify the default settings for policies.

Tanzu Mission Control allows you set guardrails on various types of policies. Some of these policies are enforced using the OPA Gatekeeper open source package. These policies include security, image registry, mutation, and custom policies. When any one of these policies is created and applied to a cluster, Tanzu Mission Control installs OPA Gatekeeper on your cluster.

The Gatekeeper package contains various resources which Tanzu Mission Control configures with default values. The Settings tab of the Administration page in the Tanzu Mission Control console allows you to specify some of these default configuration values to suit the needs of your organization.

The following are some of the Gatekeeper configurations that can be changed:

  • Configurations for Gatekeeper controller-manager and audit deployments:
    • You can update the number of replicas and CPU/Memory limits/requests.
    • These configurations can help customize the deployments as required for the cluster or organization.
  • Validating webhook configuration installed by Gatekeeper:
    • This is an admission webhook installed by Gatekeeper to validate incoming requests against the defined policies.
    • You can update the failure policy value, timeout value, and the rules that define which incoming requests should be validated.

Settings are applied in a hierachical manner with inheritance. The settings of the organization cascade down through cluster groups and clusters. When these are set at the higher level, such as the organization level, they can be overridden by editing at specific lower levels like clusters. As an organization administrator, you can change the settings at any level.

  • Note that these are sensitive settings. If set incorrectly, they can impact policies applied on the cluster and some policies could stop working as expected. Use this feature with caution.