-
Notifications
You must be signed in to change notification settings - Fork 18
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* add limitation docs * update limitation docs
- Loading branch information
1 parent
30c985e
commit d8bedb3
Showing
2 changed files
with
25 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
|
|
||
| # Upgrade OCP Cluster while Integrity Shield is running | ||
|
|
||
| OpenShift Container Platform (OCP) has a cluster upgrade function for an existing OCP cluster, and cluster admins can upgrade their clusters even while Integrity Shield is running. | ||
|
|
||
| However, during this upgrade, Kubernetes components such as pods, Kubernetes API server and some others will be unavailable for a while. | ||
|
|
||
| So this could make Integrity Shield protection unavailable just for a certain amount of time (a few minutes normally). For details of this limitation, please refer to [this](../README_LIMITATION.md). | ||
|
|
||
| Therefore, please note that signature protection would be disabled temporally during OCP cluster upgrade. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| # Limitation | ||
|
|
||
| ## Signature Protection Availability | ||
|
|
||
|
|
||
| Integrity Shield provides signature protection to Kubernetes resources and some other artifacts, but there is a limitation in terms of availability. | ||
|
|
||
| Integrity Shield monitors Kubernetes resource request like create/update/delete as an admission controller, and an admission controller is connected to Kubernetes API server. | ||
|
|
||
| So, when the API server and some other fundamental components are not available, signature protection cannot be performed by Integrity Shield. | ||
|
|
||
| For example, when you are trying to upgrade the running cluster, its API server would become unavailable for a while. | ||
|
|
||
| During this, signature protection is also unavailable. And after all components get running, it will become available again. | ||
|
|