diff --git a/website/docs/exempt-namespaces.md b/website/docs/exempt-namespaces.md index d8eb3cfc707..e95c1e2b9df 100644 --- a/website/docs/exempt-namespaces.md +++ b/website/docs/exempt-namespaces.md @@ -3,6 +3,8 @@ id: exempt-namespaces title: Exempting Namespaces --- +`Feature State`: The `Config` resource is currently alpha. + ## Exempting Namespaces from Gatekeeper using config resource > The "Config" resource must be named `config` for it to be reconciled by Gatekeeper. Gatekeeper will ignore the resource if you do not name it `config`. @@ -65,6 +67,8 @@ If it becomes necessary to exempt a namespace from Gatekeeper webhook entirely ( 3. Add the `admission.gatekeeper.sh/ignore` label to the namespace. The value attached to the label is ignored, so it can be used to annotate the reason for the exemption. +Similarly, you can also enable the exemption of entire groups of namespaces using the `--exempt-namespace-prefix` and `--exempt-namespace-suffix` flags. Using these flags allows the `admission.gatekeeper.sh/ignore` label to be added to any namespace that matches the supplied prefix or suffix. + ## Difference between exclusion using config resource and `--exempt-namespace` flag The difference is at what point in the admission process an exemption occurs. diff --git a/website/docs/sync.md b/website/docs/sync.md index 9e6d4e100c2..a79bee11e29 100644 --- a/website/docs/sync.md +++ b/website/docs/sync.md @@ -3,6 +3,8 @@ id: sync title: Replicating Data --- +`Feature State`: The `Config` resource is currently alpha. + > The "Config" resource must be named `config` for it to be reconciled by Gatekeeper. Gatekeeper will ignore the resource if you do not name it `config`. Some constraints are impossible to write without access to more state than just the object under test. For example, it is impossible to know if an ingress's hostname is unique among all ingresses unless a rule has access to all other ingresses. To make such rules possible, we enable syncing of data into OPA. diff --git a/website/versioned_docs/version-v3.10.x/exempt-namespaces.md b/website/versioned_docs/version-v3.10.x/exempt-namespaces.md index d8eb3cfc707..e95c1e2b9df 100644 --- a/website/versioned_docs/version-v3.10.x/exempt-namespaces.md +++ b/website/versioned_docs/version-v3.10.x/exempt-namespaces.md @@ -3,6 +3,8 @@ id: exempt-namespaces title: Exempting Namespaces --- +`Feature State`: The `Config` resource is currently alpha. + ## Exempting Namespaces from Gatekeeper using config resource > The "Config" resource must be named `config` for it to be reconciled by Gatekeeper. Gatekeeper will ignore the resource if you do not name it `config`. @@ -65,6 +67,8 @@ If it becomes necessary to exempt a namespace from Gatekeeper webhook entirely ( 3. Add the `admission.gatekeeper.sh/ignore` label to the namespace. The value attached to the label is ignored, so it can be used to annotate the reason for the exemption. +Similarly, you can also enable the exemption of entire groups of namespaces using the `--exempt-namespace-prefix` and `--exempt-namespace-suffix` flags. Using these flags allows the `admission.gatekeeper.sh/ignore` label to be added to any namespace that matches the supplied prefix or suffix. + ## Difference between exclusion using config resource and `--exempt-namespace` flag The difference is at what point in the admission process an exemption occurs. diff --git a/website/versioned_docs/version-v3.10.x/sync.md b/website/versioned_docs/version-v3.10.x/sync.md index 9e6d4e100c2..a79bee11e29 100644 --- a/website/versioned_docs/version-v3.10.x/sync.md +++ b/website/versioned_docs/version-v3.10.x/sync.md @@ -3,6 +3,8 @@ id: sync title: Replicating Data --- +`Feature State`: The `Config` resource is currently alpha. + > The "Config" resource must be named `config` for it to be reconciled by Gatekeeper. Gatekeeper will ignore the resource if you do not name it `config`. Some constraints are impossible to write without access to more state than just the object under test. For example, it is impossible to know if an ingress's hostname is unique among all ingresses unless a rule has access to all other ingresses. To make such rules possible, we enable syncing of data into OPA. diff --git a/website/versioned_docs/version-v3.11.x/exempt-namespaces.md b/website/versioned_docs/version-v3.11.x/exempt-namespaces.md index d8eb3cfc707..e95c1e2b9df 100644 --- a/website/versioned_docs/version-v3.11.x/exempt-namespaces.md +++ b/website/versioned_docs/version-v3.11.x/exempt-namespaces.md @@ -3,6 +3,8 @@ id: exempt-namespaces title: Exempting Namespaces --- +`Feature State`: The `Config` resource is currently alpha. + ## Exempting Namespaces from Gatekeeper using config resource > The "Config" resource must be named `config` for it to be reconciled by Gatekeeper. Gatekeeper will ignore the resource if you do not name it `config`. @@ -65,6 +67,8 @@ If it becomes necessary to exempt a namespace from Gatekeeper webhook entirely ( 3. Add the `admission.gatekeeper.sh/ignore` label to the namespace. The value attached to the label is ignored, so it can be used to annotate the reason for the exemption. +Similarly, you can also enable the exemption of entire groups of namespaces using the `--exempt-namespace-prefix` and `--exempt-namespace-suffix` flags. Using these flags allows the `admission.gatekeeper.sh/ignore` label to be added to any namespace that matches the supplied prefix or suffix. + ## Difference between exclusion using config resource and `--exempt-namespace` flag The difference is at what point in the admission process an exemption occurs. diff --git a/website/versioned_docs/version-v3.11.x/sync.md b/website/versioned_docs/version-v3.11.x/sync.md index 9e6d4e100c2..a79bee11e29 100644 --- a/website/versioned_docs/version-v3.11.x/sync.md +++ b/website/versioned_docs/version-v3.11.x/sync.md @@ -3,6 +3,8 @@ id: sync title: Replicating Data --- +`Feature State`: The `Config` resource is currently alpha. + > The "Config" resource must be named `config` for it to be reconciled by Gatekeeper. Gatekeeper will ignore the resource if you do not name it `config`. Some constraints are impossible to write without access to more state than just the object under test. For example, it is impossible to know if an ingress's hostname is unique among all ingresses unless a rule has access to all other ingresses. To make such rules possible, we enable syncing of data into OPA. diff --git a/website/versioned_docs/version-v3.12.x/exempt-namespaces.md b/website/versioned_docs/version-v3.12.x/exempt-namespaces.md index d8eb3cfc707..e95c1e2b9df 100644 --- a/website/versioned_docs/version-v3.12.x/exempt-namespaces.md +++ b/website/versioned_docs/version-v3.12.x/exempt-namespaces.md @@ -3,6 +3,8 @@ id: exempt-namespaces title: Exempting Namespaces --- +`Feature State`: The `Config` resource is currently alpha. + ## Exempting Namespaces from Gatekeeper using config resource > The "Config" resource must be named `config` for it to be reconciled by Gatekeeper. Gatekeeper will ignore the resource if you do not name it `config`. @@ -65,6 +67,8 @@ If it becomes necessary to exempt a namespace from Gatekeeper webhook entirely ( 3. Add the `admission.gatekeeper.sh/ignore` label to the namespace. The value attached to the label is ignored, so it can be used to annotate the reason for the exemption. +Similarly, you can also enable the exemption of entire groups of namespaces using the `--exempt-namespace-prefix` and `--exempt-namespace-suffix` flags. Using these flags allows the `admission.gatekeeper.sh/ignore` label to be added to any namespace that matches the supplied prefix or suffix. + ## Difference between exclusion using config resource and `--exempt-namespace` flag The difference is at what point in the admission process an exemption occurs. diff --git a/website/versioned_docs/version-v3.12.x/sync.md b/website/versioned_docs/version-v3.12.x/sync.md index 9e6d4e100c2..a79bee11e29 100644 --- a/website/versioned_docs/version-v3.12.x/sync.md +++ b/website/versioned_docs/version-v3.12.x/sync.md @@ -3,6 +3,8 @@ id: sync title: Replicating Data --- +`Feature State`: The `Config` resource is currently alpha. + > The "Config" resource must be named `config` for it to be reconciled by Gatekeeper. Gatekeeper will ignore the resource if you do not name it `config`. Some constraints are impossible to write without access to more state than just the object under test. For example, it is impossible to know if an ingress's hostname is unique among all ingresses unless a rule has access to all other ingresses. To make such rules possible, we enable syncing of data into OPA. diff --git a/website/versioned_docs/version-v3.6.x/exempt-namespaces.md b/website/versioned_docs/version-v3.6.x/exempt-namespaces.md index d8eb3cfc707..e95c1e2b9df 100644 --- a/website/versioned_docs/version-v3.6.x/exempt-namespaces.md +++ b/website/versioned_docs/version-v3.6.x/exempt-namespaces.md @@ -3,6 +3,8 @@ id: exempt-namespaces title: Exempting Namespaces --- +`Feature State`: The `Config` resource is currently alpha. + ## Exempting Namespaces from Gatekeeper using config resource > The "Config" resource must be named `config` for it to be reconciled by Gatekeeper. Gatekeeper will ignore the resource if you do not name it `config`. @@ -65,6 +67,8 @@ If it becomes necessary to exempt a namespace from Gatekeeper webhook entirely ( 3. Add the `admission.gatekeeper.sh/ignore` label to the namespace. The value attached to the label is ignored, so it can be used to annotate the reason for the exemption. +Similarly, you can also enable the exemption of entire groups of namespaces using the `--exempt-namespace-prefix` and `--exempt-namespace-suffix` flags. Using these flags allows the `admission.gatekeeper.sh/ignore` label to be added to any namespace that matches the supplied prefix or suffix. + ## Difference between exclusion using config resource and `--exempt-namespace` flag The difference is at what point in the admission process an exemption occurs. diff --git a/website/versioned_docs/version-v3.6.x/sync.md b/website/versioned_docs/version-v3.6.x/sync.md index 62ede347e54..17aaab56185 100644 --- a/website/versioned_docs/version-v3.6.x/sync.md +++ b/website/versioned_docs/version-v3.6.x/sync.md @@ -3,6 +3,8 @@ id: sync title: Replicating Data --- +`Feature State`: The `Config` resource is currently alpha. + > The "Config" resource must be named `config` for it to be reconciled by Gatekeeper. Gatekeeper will ignore the resource if you do not name it `config`. Some constraints are impossible to write without access to more state than just the object under test. For example, it is impossible to know if an ingress's hostname is unique among all ingresses unless a rule has access to all other ingresses. To make such rules possible, we enable syncing of data into OPA. diff --git a/website/versioned_docs/version-v3.7.x/exempt-namespaces.md b/website/versioned_docs/version-v3.7.x/exempt-namespaces.md index d8eb3cfc707..e95c1e2b9df 100644 --- a/website/versioned_docs/version-v3.7.x/exempt-namespaces.md +++ b/website/versioned_docs/version-v3.7.x/exempt-namespaces.md @@ -3,6 +3,8 @@ id: exempt-namespaces title: Exempting Namespaces --- +`Feature State`: The `Config` resource is currently alpha. + ## Exempting Namespaces from Gatekeeper using config resource > The "Config" resource must be named `config` for it to be reconciled by Gatekeeper. Gatekeeper will ignore the resource if you do not name it `config`. @@ -65,6 +67,8 @@ If it becomes necessary to exempt a namespace from Gatekeeper webhook entirely ( 3. Add the `admission.gatekeeper.sh/ignore` label to the namespace. The value attached to the label is ignored, so it can be used to annotate the reason for the exemption. +Similarly, you can also enable the exemption of entire groups of namespaces using the `--exempt-namespace-prefix` and `--exempt-namespace-suffix` flags. Using these flags allows the `admission.gatekeeper.sh/ignore` label to be added to any namespace that matches the supplied prefix or suffix. + ## Difference between exclusion using config resource and `--exempt-namespace` flag The difference is at what point in the admission process an exemption occurs. diff --git a/website/versioned_docs/version-v3.7.x/sync.md b/website/versioned_docs/version-v3.7.x/sync.md index 62ede347e54..17aaab56185 100644 --- a/website/versioned_docs/version-v3.7.x/sync.md +++ b/website/versioned_docs/version-v3.7.x/sync.md @@ -3,6 +3,8 @@ id: sync title: Replicating Data --- +`Feature State`: The `Config` resource is currently alpha. + > The "Config" resource must be named `config` for it to be reconciled by Gatekeeper. Gatekeeper will ignore the resource if you do not name it `config`. Some constraints are impossible to write without access to more state than just the object under test. For example, it is impossible to know if an ingress's hostname is unique among all ingresses unless a rule has access to all other ingresses. To make such rules possible, we enable syncing of data into OPA. diff --git a/website/versioned_docs/version-v3.8.x/exempt-namespaces.md b/website/versioned_docs/version-v3.8.x/exempt-namespaces.md index d8eb3cfc707..e95c1e2b9df 100644 --- a/website/versioned_docs/version-v3.8.x/exempt-namespaces.md +++ b/website/versioned_docs/version-v3.8.x/exempt-namespaces.md @@ -3,6 +3,8 @@ id: exempt-namespaces title: Exempting Namespaces --- +`Feature State`: The `Config` resource is currently alpha. + ## Exempting Namespaces from Gatekeeper using config resource > The "Config" resource must be named `config` for it to be reconciled by Gatekeeper. Gatekeeper will ignore the resource if you do not name it `config`. @@ -65,6 +67,8 @@ If it becomes necessary to exempt a namespace from Gatekeeper webhook entirely ( 3. Add the `admission.gatekeeper.sh/ignore` label to the namespace. The value attached to the label is ignored, so it can be used to annotate the reason for the exemption. +Similarly, you can also enable the exemption of entire groups of namespaces using the `--exempt-namespace-prefix` and `--exempt-namespace-suffix` flags. Using these flags allows the `admission.gatekeeper.sh/ignore` label to be added to any namespace that matches the supplied prefix or suffix. + ## Difference between exclusion using config resource and `--exempt-namespace` flag The difference is at what point in the admission process an exemption occurs. diff --git a/website/versioned_docs/version-v3.8.x/sync.md b/website/versioned_docs/version-v3.8.x/sync.md index 9e6d4e100c2..a79bee11e29 100644 --- a/website/versioned_docs/version-v3.8.x/sync.md +++ b/website/versioned_docs/version-v3.8.x/sync.md @@ -3,6 +3,8 @@ id: sync title: Replicating Data --- +`Feature State`: The `Config` resource is currently alpha. + > The "Config" resource must be named `config` for it to be reconciled by Gatekeeper. Gatekeeper will ignore the resource if you do not name it `config`. Some constraints are impossible to write without access to more state than just the object under test. For example, it is impossible to know if an ingress's hostname is unique among all ingresses unless a rule has access to all other ingresses. To make such rules possible, we enable syncing of data into OPA. diff --git a/website/versioned_docs/version-v3.9.x/exempt-namespaces.md b/website/versioned_docs/version-v3.9.x/exempt-namespaces.md index 9930f91c186..c68ebf65ca6 100644 --- a/website/versioned_docs/version-v3.9.x/exempt-namespaces.md +++ b/website/versioned_docs/version-v3.9.x/exempt-namespaces.md @@ -3,6 +3,8 @@ id: exempt-namespaces title: Exempting Namespaces --- +`Feature State`: The `Config` resource is currently alpha. + ## Exempting Namespaces from Gatekeeper using config resource > The "Config" resource must be named `config` for it to be reconciled by Gatekeeper. Gatekeeper will ignore the resource if you do not name it `config`. @@ -65,6 +67,8 @@ If it becomes necessary to exempt a namespace from Gatekeeper webhook entirely ( 3. Add the `admission.gatekeeper.sh/ignore` label to the namespace. The value attached to the label is ignored, so it can be used to annotate the reason for the exemption. +Similarly, you can also enable the exemption of entire groups of namespaces using the `--exempt-namespace-prefix` and `--exempt-namespace-suffix` flags. Using these flags allows the `admission.gatekeeper.sh/ignore` label to be added to any namespace that matches the supplied prefix or suffix. + ## Difference between exclusion using config resource and `--exempt-namespace` flag The difference is at what point in the admission process an exemption occurs. diff --git a/website/versioned_docs/version-v3.9.x/sync.md b/website/versioned_docs/version-v3.9.x/sync.md index 9e6d4e100c2..a79bee11e29 100644 --- a/website/versioned_docs/version-v3.9.x/sync.md +++ b/website/versioned_docs/version-v3.9.x/sync.md @@ -3,6 +3,8 @@ id: sync title: Replicating Data --- +`Feature State`: The `Config` resource is currently alpha. + > The "Config" resource must be named `config` for it to be reconciled by Gatekeeper. Gatekeeper will ignore the resource if you do not name it `config`. Some constraints are impossible to write without access to more state than just the object under test. For example, it is impossible to know if an ingress's hostname is unique among all ingresses unless a rule has access to all other ingresses. To make such rules possible, we enable syncing of data into OPA.