Non-registry servers policy
A registry policy tells clients where to find approved servers, but without a non-registry servers policy, developers can still run unapproved servers by adding them locally. This guide shows you how to close that gap.
Pair this guide with a Registry policy so clients have a single approved registry to pull from.
Configure the non-registry servers directive
Add the non_registry_servers directive to your enterprise configuration. The
value field controls whether non-registry servers are allowed (true) or
blocked (false); pick an enforcement level
to match.
enterpriseConfig:
non_registry_servers:
# false = only registry servers are allowed (recommended for most orgs)
# true = any server is allowed
value: false
# "enforced" blocks local overrides; "default" lets users override locally
enforcement: 'enforced'
The combined behavior of the value and enforcement fields:
| Enforcement | Value | Client behavior |
|---|---|---|
enforced | false | Clients cannot run servers outside the registry. |
enforced | true | Clients can run any server, even outside the registry. |
default | false | Clients default to registry-only but may override locally. |
default | true | Clients default to allowing any server and may override locally. |
Use enforced with value: false in security-sensitive environments where
unreviewed code execution is not acceptable. Use default when you want to
nudge developers toward the registry catalog without hard-blocking local
experimentation.
After updating your configuration, apply the change.
Variations
Advisory block
Suggest registry-only servers as the org default while allowing developers to run non-registry servers locally when needed:
enterpriseConfig:
non_registry_servers:
value: false
enforcement: 'default'
Explicitly allow any server
For sandbox or developer environments where you want to formally permit all
servers, set value: true. The enforced level prevents the policy from being
tightened locally:
enterpriseConfig:
non_registry_servers:
value: true
enforcement: 'enforced'
Next steps
- Registry policy to enforce a specific registry URL
- Telemetry policy to enforce OpenTelemetry settings
- Stacklok Desktop policies to control Stacklok Desktop visibility
- Degraded mode to define client behavior when the Enterprise Manager is unreachable