You're viewing documentation for Anthos Config Management 1.3. This version has reached end of life and is no longer supported. View the latest documentation.

Excluding namespaces from Policy Controller

This topic describes how to remove a namespace from enforcement with Policy Controller by configuring exemptable namespaces.

Before you begin

Have Anthos Config Management and Policy Controller in your cluster.

Exemptable namespaces

Configuring an exemptable namespace allows a user to apply the label admission.gatekeeper.sh/ignore. When you configure an exemptable namespace, Policy Controller will not remove the application of this label to a namespace.

Exempting namespaces from enforcement

To exempt namespaces so you can apply the admission.gatekeeper.sh/ignore label, you add the namespace's name to the ConfigManagement manifest in spec.policyController.exemptableNamespaces.

# config-management.yaml

apiVersion: configmanagement.gke.io/v1
kind: ConfigManagement
metadata:
  name: config-management
  namespace: config-management-system
spec:
  # clusterName is required and must be unique among all managed clusters
  clusterName: cluster-name
  # Set to true to install and enable Policy Controller
  policyController:
    enabled: true
    exemptableNamespaces: ["namespace-name"]
...

You can exempt multiple namespaces. For example, to exempt the namespaces not-applicable and also-not-applicable in the cluster my-cluster, you would apply the following manifest:

# config-management.yaml

apiVersion: configmanagement.gke.io/v1
kind: ConfigManagement
metadata:
  name: config-management
  namespace: config-management-system
spec:
  # clusterName is required and must be unique among all managed clusters
  clusterName: my-cluster
  # Set to true to install and enable Policy Controller
  policyController:
    enabled: true
    exemptableNamespaces: ["not-applicable","also-not-applicable"]
...

Label the namespace

Next, label your namespaces so Operator does not enforce their contents.

kubectl label namespace namespace-name "admission.gatekeeper.sh/ignore=true"