Configuring Enforcer Options
This document relates to Chainguard Enforce. In order to follow along, you will need access to Chainguard Enforce. You can request access through selecting Chainguard Enforce on the inquiry form.
There is currently a limited list of enforcer options that can be configured when installing Chainguard into a current Kubernetes cluster. This guide will walk you through each of these Enforcer configuration settings.
Our getting started guide provides more detailed information on how to set up Chainguard Enforce, and this document provides a reference on how to configure different behaviors for your cluster.
We will use
chainctl, the command line tool for working with Chainguard products, which you can install using our installation guide.
The list of available Enforcer options are detailed below:
webhook_fail_open: is a flag to enable/disable a fail open behavior for the Enforcer webhooks. Default is set to
enable_cip_cache: is a flag to enable/disable cluster image policy (CIP) caching. Default is set to
namespace_enforcement_mode: defines the behavior of the Enforcer webhook’s label selector. This option accepts two possible values:
opt-insets a behavior to the Enforcer webhooks where only labeled (
policy.sigstore.dev/include=true) namespaces will be verified to enforce the defined policies.
opt-outsets an opposite behavior to the Enforcer webhooks where only labeled (
policy.sigstore.dev/exclude=true) namespaces will be excluded from any verification related to the defined policies. Default is set to
To install with
chainctl, first authenticate into
chainctl before running a command.
chainctl auth login
With your cluster already set up, you’ll install the Chainguard Enforce Agent with
chainctl and use the flag
--opt to set any of your Enforcer specific settings.
For this example on GKE, EKS, or AKS cloud infrastructure, we enable our cluster webhook to fail open by using the next command.
chainctl cluster install --group=$GROUP_ID --context $CLUSTER --opt=webhook_fail_open=true
In this next example using a private or on-prem cluster, we configure our Chainguard cluster to enable the cluster image policy (CIP) cache and a failing open behavior for the Enforce webhooks.
chainctl cluster install --group=$GROUP_ID --private --context $CLUSTER --opt=webhook_fail_open=true --opt=enable_cip_cache=true
Be sure to replace the
$CLUSTER variables with the appropriate IAM Group ID, and name of your Kubernetes cluster, respectively.
If you would like more detail about installing the Chainguard Enforce Agent with
chainctl, or on getting onboarded to Chainguard Enforce, check out our Getting Started guide.
With Chainguard installed in your cluster, continue learning about Enforce by reading the Getting Started Guide, learn how to manage policies with
chainctl, or follow the tutorial on how to detect the Log4Shell vulnerability with Enforce.