Learn about the policy insights that Tanzu Mission Control tracks.

Tanzu Mission Control (TMC) monitors the policies you implement and reports any potential issues, or insights.

The Policy insights page in the Tanzu Mission Control console shows the detected insights and provides links to the cluster, cluster group, and policy where the insight was found. The types of insights that you might see on this page include the following:
  • Violation - indicates that Kubernetes resources are not in compliance with the policy. (This insight applies only to Gatekeeper-based policies.)
  • Sync - indicates that the policy failed to be created on the cluster.
  • Threshold - indicates that a quota policy for a Kubernetes resource is approaching (80%) or has exceeded (100%) the quota specified in a quota policy.
  • Health - indicates that a policy is not enforced due to policy operator health issues. (This insight applies only to Gatekeeper-based policies.)
  • Incompatibility - indicates that a component used by Tanzu Mission Control is installed on the cluster, but was not installed by TMC. This situation might potentially cause issues with the functionality of policies applied to the cluster. For example, if Gatekeeper is already installed on the cluster.

Tanzu Mission Control policies and Gatekeeper

Some of the policy types in Tanzu Mission Control (TMC) are implemented using OPA Gatekeeper. These policy types include security policy, image registry policy, and mutation policy. When you implement one of these policies, Tanzu Mission Control installs Gatekeeper on the cluster and maintains that installation while you have TMC policies applied to that cluster.

If there is an installation of Gatekeeper on the cluster that was not installed by TMC, then TMC does not alter or maintain that installation. In many cases, this situation does not impact the functionality of the policy. However, because Gatekeeper was not installed and configured by TMC, Gatekeeper-based policies implemented through TMC might not function as expected. This situation raises an Incompatibility insight.

For best results, if you are using TMC policies on a cluster, remove external installations of Gatekeeper and let TMC manage Gatekeeper for you.

This potential issue does not impact access, quota, and network policies.