Skip to content

Commit

Permalink
docs: add config alpha state and exempt-namespace docs (#2890)
Browse files Browse the repository at this point in the history
Signed-off-by: Xander Grzywinski <[email protected]>
Signed-off-by: Eshaan Mathur <[email protected]>
Signed-off-by: Nilekh Chaudhari <[email protected]>
Co-authored-by: Eshaan Mathur <[email protected]>
Co-authored-by: Rita Zhang <[email protected]>
Co-authored-by: Nilekh Chaudhari <[email protected]>
  • Loading branch information
4 people authored Aug 1, 2023
1 parent cc87a0d commit f3eba67
Show file tree
Hide file tree
Showing 16 changed files with 48 additions and 0 deletions.
4 changes: 4 additions & 0 deletions website/docs/exempt-namespaces.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ id: exempt-namespaces
title: Exempting Namespaces
---

`Feature State`: The `Config` resource is currently alpha.

## Exempting Namespaces from Gatekeeper using config resource

> The "Config" resource must be named `config` for it to be reconciled by Gatekeeper. Gatekeeper will ignore the resource if you do not name it `config`.
Expand Down Expand Up @@ -65,6 +67,8 @@ If it becomes necessary to exempt a namespace from Gatekeeper webhook entirely (
3. Add the `admission.gatekeeper.sh/ignore` label to the namespace. The value attached
to the label is ignored, so it can be used to annotate the reason for the exemption.

Similarly, you can also enable the exemption of entire groups of namespaces using the `--exempt-namespace-prefix` and `--exempt-namespace-suffix` flags. Using these flags allows the `admission.gatekeeper.sh/ignore` label to be added to any namespace that matches the supplied prefix or suffix.

## Difference between exclusion using config resource and `--exempt-namespace` flag

The difference is at what point in the admission process an exemption occurs.
Expand Down
2 changes: 2 additions & 0 deletions website/docs/sync.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ id: sync
title: Replicating Data
---

`Feature State`: The `Config` resource is currently alpha.

> The "Config" resource must be named `config` for it to be reconciled by Gatekeeper. Gatekeeper will ignore the resource if you do not name it `config`.
Some constraints are impossible to write without access to more state than just the object under test. For example, it is impossible to know if an ingress's hostname is unique among all ingresses unless a rule has access to all other ingresses. To make such rules possible, we enable syncing of data into OPA.
Expand Down
4 changes: 4 additions & 0 deletions website/versioned_docs/version-v3.10.x/exempt-namespaces.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ id: exempt-namespaces
title: Exempting Namespaces
---

`Feature State`: The `Config` resource is currently alpha.

## Exempting Namespaces from Gatekeeper using config resource

> The "Config" resource must be named `config` for it to be reconciled by Gatekeeper. Gatekeeper will ignore the resource if you do not name it `config`.
Expand Down Expand Up @@ -65,6 +67,8 @@ If it becomes necessary to exempt a namespace from Gatekeeper webhook entirely (
3. Add the `admission.gatekeeper.sh/ignore` label to the namespace. The value attached
to the label is ignored, so it can be used to annotate the reason for the exemption.

Similarly, you can also enable the exemption of entire groups of namespaces using the `--exempt-namespace-prefix` and `--exempt-namespace-suffix` flags. Using these flags allows the `admission.gatekeeper.sh/ignore` label to be added to any namespace that matches the supplied prefix or suffix.

## Difference between exclusion using config resource and `--exempt-namespace` flag

The difference is at what point in the admission process an exemption occurs.
Expand Down
2 changes: 2 additions & 0 deletions website/versioned_docs/version-v3.10.x/sync.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ id: sync
title: Replicating Data
---

`Feature State`: The `Config` resource is currently alpha.

> The "Config" resource must be named `config` for it to be reconciled by Gatekeeper. Gatekeeper will ignore the resource if you do not name it `config`.
Some constraints are impossible to write without access to more state than just the object under test. For example, it is impossible to know if an ingress's hostname is unique among all ingresses unless a rule has access to all other ingresses. To make such rules possible, we enable syncing of data into OPA.
Expand Down
4 changes: 4 additions & 0 deletions website/versioned_docs/version-v3.11.x/exempt-namespaces.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ id: exempt-namespaces
title: Exempting Namespaces
---

`Feature State`: The `Config` resource is currently alpha.

## Exempting Namespaces from Gatekeeper using config resource

> The "Config" resource must be named `config` for it to be reconciled by Gatekeeper. Gatekeeper will ignore the resource if you do not name it `config`.
Expand Down Expand Up @@ -65,6 +67,8 @@ If it becomes necessary to exempt a namespace from Gatekeeper webhook entirely (
3. Add the `admission.gatekeeper.sh/ignore` label to the namespace. The value attached
to the label is ignored, so it can be used to annotate the reason for the exemption.

Similarly, you can also enable the exemption of entire groups of namespaces using the `--exempt-namespace-prefix` and `--exempt-namespace-suffix` flags. Using these flags allows the `admission.gatekeeper.sh/ignore` label to be added to any namespace that matches the supplied prefix or suffix.

## Difference between exclusion using config resource and `--exempt-namespace` flag

The difference is at what point in the admission process an exemption occurs.
Expand Down
2 changes: 2 additions & 0 deletions website/versioned_docs/version-v3.11.x/sync.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ id: sync
title: Replicating Data
---

`Feature State`: The `Config` resource is currently alpha.

> The "Config" resource must be named `config` for it to be reconciled by Gatekeeper. Gatekeeper will ignore the resource if you do not name it `config`.
Some constraints are impossible to write without access to more state than just the object under test. For example, it is impossible to know if an ingress's hostname is unique among all ingresses unless a rule has access to all other ingresses. To make such rules possible, we enable syncing of data into OPA.
Expand Down
4 changes: 4 additions & 0 deletions website/versioned_docs/version-v3.12.x/exempt-namespaces.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ id: exempt-namespaces
title: Exempting Namespaces
---

`Feature State`: The `Config` resource is currently alpha.

## Exempting Namespaces from Gatekeeper using config resource

> The "Config" resource must be named `config` for it to be reconciled by Gatekeeper. Gatekeeper will ignore the resource if you do not name it `config`.
Expand Down Expand Up @@ -65,6 +67,8 @@ If it becomes necessary to exempt a namespace from Gatekeeper webhook entirely (
3. Add the `admission.gatekeeper.sh/ignore` label to the namespace. The value attached
to the label is ignored, so it can be used to annotate the reason for the exemption.

Similarly, you can also enable the exemption of entire groups of namespaces using the `--exempt-namespace-prefix` and `--exempt-namespace-suffix` flags. Using these flags allows the `admission.gatekeeper.sh/ignore` label to be added to any namespace that matches the supplied prefix or suffix.

## Difference between exclusion using config resource and `--exempt-namespace` flag

The difference is at what point in the admission process an exemption occurs.
Expand Down
2 changes: 2 additions & 0 deletions website/versioned_docs/version-v3.12.x/sync.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ id: sync
title: Replicating Data
---

`Feature State`: The `Config` resource is currently alpha.

> The "Config" resource must be named `config` for it to be reconciled by Gatekeeper. Gatekeeper will ignore the resource if you do not name it `config`.
Some constraints are impossible to write without access to more state than just the object under test. For example, it is impossible to know if an ingress's hostname is unique among all ingresses unless a rule has access to all other ingresses. To make such rules possible, we enable syncing of data into OPA.
Expand Down
4 changes: 4 additions & 0 deletions website/versioned_docs/version-v3.6.x/exempt-namespaces.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ id: exempt-namespaces
title: Exempting Namespaces
---

`Feature State`: The `Config` resource is currently alpha.

## Exempting Namespaces from Gatekeeper using config resource

> The "Config" resource must be named `config` for it to be reconciled by Gatekeeper. Gatekeeper will ignore the resource if you do not name it `config`.
Expand Down Expand Up @@ -65,6 +67,8 @@ If it becomes necessary to exempt a namespace from Gatekeeper webhook entirely (
3. Add the `admission.gatekeeper.sh/ignore` label to the namespace. The value attached
to the label is ignored, so it can be used to annotate the reason for the exemption.

Similarly, you can also enable the exemption of entire groups of namespaces using the `--exempt-namespace-prefix` and `--exempt-namespace-suffix` flags. Using these flags allows the `admission.gatekeeper.sh/ignore` label to be added to any namespace that matches the supplied prefix or suffix.

## Difference between exclusion using config resource and `--exempt-namespace` flag

The difference is at what point in the admission process an exemption occurs.
Expand Down
2 changes: 2 additions & 0 deletions website/versioned_docs/version-v3.6.x/sync.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ id: sync
title: Replicating Data
---

`Feature State`: The `Config` resource is currently alpha.

> The "Config" resource must be named `config` for it to be reconciled by Gatekeeper. Gatekeeper will ignore the resource if you do not name it `config`.
Some constraints are impossible to write without access to more state than just the object under test. For example, it is impossible to know if an ingress's hostname is unique among all ingresses unless a rule has access to all other ingresses. To make such rules possible, we enable syncing of data into OPA.
Expand Down
4 changes: 4 additions & 0 deletions website/versioned_docs/version-v3.7.x/exempt-namespaces.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ id: exempt-namespaces
title: Exempting Namespaces
---

`Feature State`: The `Config` resource is currently alpha.

## Exempting Namespaces from Gatekeeper using config resource

> The "Config" resource must be named `config` for it to be reconciled by Gatekeeper. Gatekeeper will ignore the resource if you do not name it `config`.
Expand Down Expand Up @@ -65,6 +67,8 @@ If it becomes necessary to exempt a namespace from Gatekeeper webhook entirely (
3. Add the `admission.gatekeeper.sh/ignore` label to the namespace. The value attached
to the label is ignored, so it can be used to annotate the reason for the exemption.

Similarly, you can also enable the exemption of entire groups of namespaces using the `--exempt-namespace-prefix` and `--exempt-namespace-suffix` flags. Using these flags allows the `admission.gatekeeper.sh/ignore` label to be added to any namespace that matches the supplied prefix or suffix.

## Difference between exclusion using config resource and `--exempt-namespace` flag

The difference is at what point in the admission process an exemption occurs.
Expand Down
2 changes: 2 additions & 0 deletions website/versioned_docs/version-v3.7.x/sync.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ id: sync
title: Replicating Data
---

`Feature State`: The `Config` resource is currently alpha.

> The "Config" resource must be named `config` for it to be reconciled by Gatekeeper. Gatekeeper will ignore the resource if you do not name it `config`.
Some constraints are impossible to write without access to more state than just the object under test. For example, it is impossible to know if an ingress's hostname is unique among all ingresses unless a rule has access to all other ingresses. To make such rules possible, we enable syncing of data into OPA.
Expand Down
4 changes: 4 additions & 0 deletions website/versioned_docs/version-v3.8.x/exempt-namespaces.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ id: exempt-namespaces
title: Exempting Namespaces
---

`Feature State`: The `Config` resource is currently alpha.

## Exempting Namespaces from Gatekeeper using config resource

> The "Config" resource must be named `config` for it to be reconciled by Gatekeeper. Gatekeeper will ignore the resource if you do not name it `config`.
Expand Down Expand Up @@ -65,6 +67,8 @@ If it becomes necessary to exempt a namespace from Gatekeeper webhook entirely (
3. Add the `admission.gatekeeper.sh/ignore` label to the namespace. The value attached
to the label is ignored, so it can be used to annotate the reason for the exemption.

Similarly, you can also enable the exemption of entire groups of namespaces using the `--exempt-namespace-prefix` and `--exempt-namespace-suffix` flags. Using these flags allows the `admission.gatekeeper.sh/ignore` label to be added to any namespace that matches the supplied prefix or suffix.

## Difference between exclusion using config resource and `--exempt-namespace` flag

The difference is at what point in the admission process an exemption occurs.
Expand Down
2 changes: 2 additions & 0 deletions website/versioned_docs/version-v3.8.x/sync.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ id: sync
title: Replicating Data
---

`Feature State`: The `Config` resource is currently alpha.

> The "Config" resource must be named `config` for it to be reconciled by Gatekeeper. Gatekeeper will ignore the resource if you do not name it `config`.
Some constraints are impossible to write without access to more state than just the object under test. For example, it is impossible to know if an ingress's hostname is unique among all ingresses unless a rule has access to all other ingresses. To make such rules possible, we enable syncing of data into OPA.
Expand Down
4 changes: 4 additions & 0 deletions website/versioned_docs/version-v3.9.x/exempt-namespaces.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ id: exempt-namespaces
title: Exempting Namespaces
---

`Feature State`: The `Config` resource is currently alpha.

## Exempting Namespaces from Gatekeeper using config resource

> The "Config" resource must be named `config` for it to be reconciled by Gatekeeper. Gatekeeper will ignore the resource if you do not name it `config`.
Expand Down Expand Up @@ -65,6 +67,8 @@ If it becomes necessary to exempt a namespace from Gatekeeper webhook entirely (
3. Add the `admission.gatekeeper.sh/ignore` label to the namespace. The value attached
to the label is ignored, so it can be used to annotate the reason for the exemption.

Similarly, you can also enable the exemption of entire groups of namespaces using the `--exempt-namespace-prefix` and `--exempt-namespace-suffix` flags. Using these flags allows the `admission.gatekeeper.sh/ignore` label to be added to any namespace that matches the supplied prefix or suffix.

## Difference between exclusion using config resource and `--exempt-namespace` flag

The difference is at what point in the admission process an exemption occurs.
Expand Down
2 changes: 2 additions & 0 deletions website/versioned_docs/version-v3.9.x/sync.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ id: sync
title: Replicating Data
---

`Feature State`: The `Config` resource is currently alpha.

> The "Config" resource must be named `config` for it to be reconciled by Gatekeeper. Gatekeeper will ignore the resource if you do not name it `config`.
Some constraints are impossible to write without access to more state than just the object under test. For example, it is impossible to know if an ingress's hostname is unique among all ingresses unless a rule has access to all other ingresses. To make such rules possible, we enable syncing of data into OPA.
Expand Down

0 comments on commit f3eba67

Please sign in to comment.