Management Policies
Management Policies control whether the Entigo Platform fully manages a resource or just observes it. This lets you use the platform for central visibility and governance even when some resources are managed by other tools.
Full Management
When a resource is fully managed, the platform is the source of truth:
- The resource is defined in the control plane and provisioned to the workspace
- Changes are made through the platform (Web UI, CLI, API, or GitOps via the control plane)
- The platform can create, update, and delete the resource
- Resource status is reported back from the workspace to the control plane
Full management is the default. If no management policy is explicitly set, the platform assumes full management.
Observe Only
When a resource is observed, the workspace is the source of truth:
- The resource was created directly in the workspace using external tools (ArgoCD, Helm, Terraform, etc.)
- The resource configuration and status are mirrored to the platform for visibility
- The platform treats the resource as read-only — it will not modify or delete it
- To change the resource, use the same tools that created it
Observe mode enables you to:
- Get central visibility into resources managed by different teams and tools
- Gradually evaluate the platform alongside existing tooling
- Maintain a single inventory of all resources, regardless of how they're managed
How It Works
The management policy is set using the Kubernetes label entigo.com/management-policy:
| Label Value | Behavior | Source of Truth |
|---|---|---|
full (or absent) | Platform manages the full lifecycle | Control Plane |
observed | Platform mirrors status, does not modify | Workspace |
Precedence
When a label exists in both the control plane and workspace, the workspace label takes precedence:
| Control Plane | Workspace | Result |
|---|---|---|
| any | management-policy=full | Full management |
| any | management-policy=observed | Observe only |
| any | No label (steady-state) | Observe only |
management-policy=full | Resource doesn't exist | Full (platform provisions it) |
| No label | Resource doesn't exist | Full (platform provisions it) |
management-policy=observed | Resource doesn't exist | Orphaned (platform does not provision) |
Cloud Resource Protection
For cloud resources (e.g., AWS RDS databases, S3 buckets), the management policy controls Crossplane behavior:
- Fully managed cloud resources can be created, modified, and deleted by the platform
- Observed cloud resources are protected at the Crossplane level — the platform uses
managementPolicies: ["Observe"]anddeletionPolicy: Orphan, ensuring the platform does not modify or delete the cloud resource
The management policy is a Kubernetes-only concept and is not propagated to cloud resource tags.
When to Use Each Mode
| Scenario | Recommended Policy |
|---|---|
| New resources created through the platform | Full (default) |
| Existing resources you want the platform to manage | Full (after migration) |
| Resources managed by ArgoCD, Flux, or Helm | Observed |
| Resources you're evaluating the platform with | Start with Observed, migrate to Full |
| Shared infrastructure (VPCs, DNS zones) | Observed |
Related Concepts
- Resource Tagging — How the management policy tag fits into the broader tagging strategy
- Permission Boundaries — How observed resources are protected at the cloud level