Excluding namespaces from Policy Controller

This topic describes how to remove a namespace from enforcement with Policy Controller by configuring exemptable namespaces.

Before you begin

Have Anthos Config Management and Policy Controller in your cluster.

Exemptable namespaces

Configuring an exemptable namespace allows a user to apply the label admission.gatekeeper.sh/ignore. When you configure an exemptable namespace, Policy Controller will not remove the application of this label to a namespace.

Exempting namespaces from enforcement

To exempt namespaces so you can apply the admission.gatekeeper.sh/ignore label, you add the namespace's name to the ConfigManagement manifest in spec.policyController.exemptableNamespaces.

# config-management.yaml

apiVersion: configmanagement.gke.io/v1
kind: ConfigManagement
metadata:
  name: config-management
  namespace: config-management-system
spec:
  # clusterName is required and must be unique among all managed clusters
  clusterName: cluster-name
  # Set to true to install and enable Policy Controller
  policyController:
    enabled: true
    exemptableNamespaces: ["namespace-name"]
...

You can exempt multiple namespaces. For example, to exempt the namespaces not-applicable and also-not-applicable in the cluster my-cluster, you would apply the following manifest:

# config-management.yaml

apiVersion: configmanagement.gke.io/v1
kind: ConfigManagement
metadata:
  name: config-management
  namespace: config-management-system
spec:
  # clusterName is required and must be unique among all managed clusters
  clusterName: my-cluster
  # Set to true to install and enable Policy Controller
  policyController:
    enabled: true
    exemptableNamespaces: ["not-applicable","also-not-applicable"]
...

Label the namespace

Next, label your namespaces so Operator does not enforce their contents.

kubectl label namespace namespace-name "admission.gatekeeper.sh/ignore=true"