Excluding namespaces from Policy Controller's admission webhook

This topic describes how to remove a namespace from admission webhook enforcement with Policy Controller by configuring exemptable namespaces. Any violations will still be reported in audit.

Before you begin

Have Anthos Config Management and Policy Controller in your cluster.

Exemptable namespaces

Configuring an exemptable namespace allows a user to apply the label admission.gatekeeper.sh/ignore. If you later remove an exemptable namespace, Policy Controller will not remove the application of this label to that namespace.

Exempting namespaces from enforcement

To exempt namespaces so you can apply the admission.gatekeeper.sh/ignore label, you add the namespace's name to the ConfigManagement manifest in spec.policyController.exemptableNamespaces.

# config-management.yaml

apiVersion: configmanagement.gke.io/v1
kind: ConfigManagement
metadata:
  name: config-management
  namespace: config-management-system
spec:
  # clusterName is required and must be unique among all managed clusters
  clusterName: cluster-name
  # Set to true to install and enable Policy Controller
  policyController:
    enabled: true
    exemptableNamespaces: ["namespace-name"]
...

You can exempt multiple namespaces. For example, to exempt the namespaces not-applicable and also-not-applicable in the cluster my-cluster, you would apply the following manifest:

# config-management.yaml

apiVersion: configmanagement.gke.io/v1
kind: ConfigManagement
metadata:
  name: config-management
  namespace: config-management-system
spec:
  # clusterName is required and must be unique among all managed clusters
  clusterName: my-cluster
  # Set to true to install and enable Policy Controller
  policyController:
    enabled: true
    exemptableNamespaces: ["not-applicable","also-not-applicable"]
...

Label the namespace

Next, label your namespaces so Anthos Config Management's admission webhook does not enforce their contents.

kubectl label namespace namespace-name "admission.gatekeeper.sh/ignore=true"