Exclude namespaces from Policy Controller

This page describes how to configure exempt namespaces in Policy Controller.

Exempt namespaces remove a namespace from admission webhook enforcement with Policy Controller, but any violations are still reported in audit. If you don't configure any namespaces, only the gatekeeper-system namespace is pre-configured as exempt from the Policy Controller admission webhook enforcement.

Configure exempt namespaces

Configuring an exemptable namespace lets you apply the admission.gatekeeper.sh/ignore label to exempt the namespace from Policy Controller admission webhook enforcement. If you later remove an exemptable namespace, Policy Controller does not remove the admission.gatekeeper.sh/ignore label from the namespace.

Exempt namespaces from enforcement

Before you can apply the admission.gatekeeper.sh/ignore label to a namespace, you need to add those namespaces as exemptableNamespaces.

You can exempt namespaces either during Policy Controller installation, or after installation. The following process shows you how to exempt namespaces after installation.

Console

In the Google Cloud console:
- If you use Google Kubernetes Engine, go to the GKE Config page under the Config & Policy section.
  
  Go to Config Management
- If you use Anthos, go to the Anthos Config page under the Config & Policy section.
  
  Go to Config Management
Next to the cluster that you want to add an exempt namespace to, click Edit configuration > Edit Config.
Click Show advanced settings.
In the Exempt namespaces field, provide a list of valid namespaces. Objects in these namespaces are ignored by all policies. The namespaces don't need to currently exist.
Click Complete.
Label your exemptable namespace so Policy Controller's admission webhook does not enforce their contents:
```
kubectl label namespace NAMESPACE_NAME "admission.gatekeeper.sh/ignore=true"
```
Replace NAMESPACE_NAME with the name of the namespace that you want to exempt from enforcement.

gcloud

To exempt a namespace from enforcement, add the namespace's name in spec.policyController.exemptableNamespaces:

# apply-spec.yaml

applySpecVersion: 1
spec:
  # Set to true to install and enable Policy Controller
  policyController:
    enabled: true
    exemptableNamespaces: ["NAMESPACE_NAME"]
...

Replace NAMESPACE_NAME with the name of the namespace that you want to exempt from enforcement.

You can also exempt multiple namespaces. For example, to add the namespaces not-applicable and also-not-applicable, you would apply the following manifest:

# apply-spec.yaml

applySpecVersion: 1
spec:
  # Set to true to install and enable Policy Controller
  policyController:
    enabled: true
    exemptableNamespaces: ["not-applicable","also-not-applicable"]
...

Apply the changes to the apply-spec.yaml file:
```
 gcloud beta container fleet config-management apply \
     --membership=MEMBERSHIP_NAME \
     --config=CONFIG_YAML \
     --project=PROJECT_ID
```
Replace the following:
- MEMBERSHIP_NAME: add the registered cluster that you want to apply this configuration to. If you registered the cluster in the Google Cloud console, the membership name is the same as the name of your cluster.
- CONFIG_YAML: add the path to your apply-spec.yaml file.
- PROJECT_ID: add your project ID.
Label your exemptable namespace(s) so Policy Controller's admission webhook does not enforce their contents:
```
kubectl label namespace NAMESPACE_NAME "admission.gatekeeper.sh/ignore=true"
```