You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
How do you interpret the customer's words?
The prospect saw that Fleet recently shipped GitOps mode exceptions for labels, software, and enroll secrets (#40171), and is asking whether the exception list will be expanded to cover queries and reports. Their detection and response (D&R) team manages queries through its own CI pipelines, separate from the IT team's GitOps repo. Today, if the IT team enables GitOps without specifying queries/reports in YAML, the GitOps run wipes out the D&R team's queries and the reports those queries produce. Duplicating the D&R team's queries into the IT GitOps repo defeats the purpose of the D&R team owning their own pipeline.
What's Fleet missing?
The current GitOps exceptions feature (software, labels, secrets) does not include queries or reports. There is no way to mark "queries are managed outside GitOps" so a different system (the D&R team's CI) can own them without GitOps stomping on changes between syncs.
What does the customer's ideal workflow look like?
Global admin enables GitOps for the org and defines most resources in the IT team's Git repo as usual.
With the exception enabled, GitOps runs that don't specify queries: / leave reports unspecified will leave existing queries and reports untouched instead of wiping them.
The D&R team continues to push and update queries via their own CI pipeline against the Fleet API without interference.
Both GitOps-managed resources and the D&R team's externally-managed queries/reports coexist on the Fleet instance without conflict.
Interpretation
How do you interpret the customer's words?
The prospect saw that Fleet recently shipped GitOps mode exceptions for labels, software, and enroll secrets (#40171), and is asking whether the exception list will be expanded to cover queries and reports. Their detection and response (D&R) team manages queries through its own CI pipelines, separate from the IT team's GitOps repo. Today, if the IT team enables GitOps without specifying queries/reports in YAML, the GitOps run wipes out the D&R team's queries and the reports those queries produce. Duplicating the D&R team's queries into the IT GitOps repo defeats the purpose of the D&R team owning their own pipeline.
What's Fleet missing?
The current GitOps exceptions feature (software, labels, secrets) does not include queries or reports. There is no way to mark "queries are managed outside GitOps" so a different system (the D&R team's CI) can own them without GitOps stomping on changes between syncs.
What does the customer's ideal workflow look like?
queries:/ leave reports unspecified will leave existing queries and reports untouched instead of wiping them.Related issues