Stay organized with collections Save and categorize content based on your preferences.

Exclude namespaces from Policy Controller

This page describes how to configure exemptible namespaces in Policy Controller.

Exemptible namespaces remove a namespace from admission webhook enforcement with Policy Controller, but any violations are still reported in audit. If you don't configure any namespaces, only the gatekeeper-system namespace is exempt from enforcement.

Configure exemptible namespaces

Configuring an exempt namespace lets you apply the label admission.gatekeeper.sh/ignore. If you later remove an exemptable namespace, Policy Controller does not remove the application of this label to that namespace.

Exempt namespaces from enforcement

Before you can apply the admission.gatekeeper.sh/ignore label, you need to add the namespaces that you want to exclude.

You can exempt namespaces either during Policy Controller installation, or after installation. The following commands show you how to exempt namespaces after installation.

Console

  1. In the Google Cloud console:
  2. Next to the cluster that you want to add an exempt namespace to, click Edit configuration > Edit Config.
  3. Click Show advanced settings.
  4. In the Exempt namespaces field, provide a list of valid namespaces. Objects in these namespaces are ignored by all policies. The namespaces don't need to currently exist.
  5. Click Complete.

gcloud

  1. To exempt a namespace from enforcement, add the namespace's name in spec.policyController.exemptableNamespaces:

    # apply-spec.yaml
    
    applySpecVersion: 1
    spec:
      # Set to true to install and enable Policy Controller
      policyController:
        enabled: true
        exemptableNamespaces: ["NAMESPACE_NAME"]
    ...
    

    You can also exempt multiple namespaces. For example, to exempt the namespaces not-applicable and also-not-applicable, you would apply the following manifest:

    # apply-spec.yaml
    
    applySpecVersion: 1
    spec:
      # Set to true to install and enable Policy Controller
      policyController:
        enabled: true
        exemptableNamespaces: ["not-applicable","also-not-applicable"]
    ...
    
  2. Apply the changes to the apply-spec.yaml file:

     gcloud beta container fleet config-management apply \
         --membership=MEMBERSHIP_NAME \
         --config=CONFIG_YAML \
         --project=PROJECT_ID
    

    Replace the following:

    • MEMBERSHIP_NAME: add the registered cluster that you want to apply this configuration to. If you registered the cluster in the Google Cloud console, the membership name is the same as the name of your cluster.
    • CONFIG_YAML: add the path to your apply-spec.yaml file.
    • PROJECT_ID: add your project ID.

Label the namespace

After you have enabled the feature, label your namespaces so Policy Controller's admission webhook does not enforce their contents:

kubectl label namespace NAMESPACE_NAME "admission.gatekeeper.sh/ignore=true"