Policies
Policies are the directives the Enterprise Manager pushes to Stacklok clients. Each directive controls one aspect of client behavior: which MCP registry clients connect to, whether non-registry servers are allowed, where telemetry flows, and what parts of the Stacklok Desktop are visible.
Available directives
| Directive | Use it to |
|---|---|
| Registry | Enforce a specific MCP registry URL |
| Non-registry servers | Block or allow MCP servers that are not in the registry |
| Telemetry | Standardize OpenTelemetry collector configuration |
| CA certificate | Inject a custom CA certificate into MCP containers |
| Build environment | Inject environment variables into MCP containers |
| Stacklok Desktop | Show or hide the Playground tab and help menu |
| AI assistant | Show or hide the AI assistant in the Cloud UI |
Advanced directives, such as LLM Gateway configuration, are not covered in these guides.
Enforcement levels
Every policy directive carries an enforcement field with one of two values:
| Enforcement | Meaning |
|---|---|
enforced | Mandatory. Clients must use the configured value and cannot override it locally. |
default | Advisory. Clients use the configured value as a default but may override it locally. |
Use enforced when a policy needs to hold firm across the organization, for
example in regulated environments or when compliance requires it. Use default
when you want to recommend a configuration while still letting individual teams
or developers adjust for local needs.
Apply policy changes
After updating enterprise-manager.enterpriseConfig in your Helm values,
upgrade the release to push the change to clients:
helm upgrade stacklok-enterprise \
oci://oci.stacklok.com/stacklok-enterprise/<CHANNEL>/stacklok-enterprise-platform \
--version <VERSION> \
--namespace stacklok-system \
--values values.yaml
Clients receive the updated policy the next time they connect to the Enterprise Manager.
Next steps
Pick a directive to configure:
- Registry policy
- Non-registry servers policy
- Telemetry policy
- CA certificate policy
- Build environment policy
- Stacklok Desktop policies
Or read about degraded mode to control how clients behave when the Enterprise Manager is unreachable.