Browse Source

Deployed 4286d2766 to main with MkDocs 1.6.1 and mike 1.2.0.dev0

moolen 1 year ago
parent
commit
a0fd764153
2 changed files with 15 additions and 7 deletions
  1. 15 7
      main/guides/security-best-practices/index.html
  2. 0 0
      main/search/search_index.json

+ 15 - 7
main/guides/security-best-practices/index.html

@@ -4079,17 +4079,25 @@
 <span class="w">          </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">frontend</span>
 </code></pre></div>
 <h3 id="3-selectively-disable-reconciliation-of-cluster-wide-resources">3. Selectively Disable Reconciliation of Cluster-Wide Resources</h3>
-<p>ESO allows you to selectively disable the reconciliation of cluster-wide resources such as <code>ClusterSecretStore</code>, <code>ClusterExternalSecret</code>, and <code>PushSecret</code>. You can disable the installation of CRDs in the Helm chart or disable reconciliation in the core-controller using the following options:</p>
-<p>To disable CRD installation:</p>
-<div class="highlight"><pre><span></span><code><span class="c1"># disable cluster-wide resources &amp; push secret</span>
-<span class="nt">crds</span><span class="p">:</span>
+<p>ESO allows you to selectively disable the reconciliation of cluster-wide resources <code>ClusterSecretStore</code>, <code>ClusterExternalSecret</code>, and <code>PushSecret</code>.
+You can disable the installation of CRDs and reconciliation in the Helm chart, or disable reconciliation in the core controller.</p>
+<p>To disable reconciliation in the Helm chart:</p>
+<div class="highlight"><pre><span></span><code><span class="nt">processClusterExternalSecret</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">false</span>
+<span class="nt">processClusterStore</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">false</span>
+<span class="nt">processPushSecret</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">false</span>
+</code></pre></div>
+<p>To disable CRD installation in the Helm chart:</p>
+<div class="highlight"><pre><span></span><code><span class="nt">crds</span><span class="p">:</span>
 <span class="w">  </span><span class="nt">createClusterExternalSecret</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">false</span>
 <span class="w">  </span><span class="nt">createClusterSecretStore</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">false</span>
 <span class="w">  </span><span class="nt">createPushSecret</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">false</span>
 </code></pre></div>
-<p>To disable reconciliation in the core-controller:</p>
-<div class="highlight"><pre><span></span><code>--enable-cluster-external-secret-reconciler
---enable-cluster-store-reconciler
+<p>Note that disabling CRD installation for a cluster-wide resource does not automatically disable its reconciliation.
+The core controller will issue error logs if the CRD is not installed but the reconciliation is not disabled.</p>
+<p>To disable reconciliation in the core controller, set the following flags:</p>
+<div class="highlight"><pre><span></span><code>--enable-cluster-external-secret-reconciler=false
+--enable-cluster-store-reconciler=false
+--enable-push-secret-reconciler=false
 </code></pre></div>
 <h3 id="4-implement-namespace-scoped-installation">4. Implement Namespace-Scoped Installation</h3>
 <p>To further enhance security, consider installing ESO into a specific namespace with restricted access to only that namespace's resources. This prevents access to cluster-wide secrets. Use the following Helm values to scope the controller to a specific namespace:</p>

File diff suppressed because it is too large
+ 0 - 0
main/search/search_index.json


Some files were not shown because too many files changed in this diff