Stay organized with collections
Save and categorize content based on your preferences.
This page describes how to configure exempt namespaces in Policy Controller.
Exempt namespaces remove a namespace from admission webhook enforcement with
Policy Controller, but any violations are still reported in
audit. If you don't configure any
namespaces, only the gatekeeper-system namespace is pre-configured as exempt
from the Policy Controller admission webhook enforcement.
Configure exempt namespaces
Configuring an exemptable namespace applies the
admission.gatekeeper.sh/ignore label, which exempts the namespace from Policy Controller
admission webhook enforcement. If you later remove an exemptable namespace,
Policy Controller does not remove the admission.gatekeeper.sh/ignore label
from the namespace.
Exempt namespaces from enforcement
You can exempt namespaces either
during Policy Controller installation,
or after installation. The following process shows you how to exempt namespaces
after installation.
Console
In the Google Cloud console, go to the Policy page under the Posture Management section.
Under the Settings tab, in the cluster table, select Editedit in the Edit configuration column.
Expand the Edit Policy Controller configuration menu.
In the Exempt namespaces field, provide a list of valid namespaces.
Objects in these namespaces are ignored by all policies. The namespaces
don't need to exist yet.
Select Save changes.
gcloud
To add namespaces to the list of namespaces that may be exempted from
enforcement by the admission webhook, run the following command:
MEMBERSHIP_NAME: the membership name of
the registered cluster to exempt namespaces on. You can specify multiple
memberships separated by a comma.
NAMESPACE_LIST: a comma-separated list of namespaces
that you want Policy Controller to exempt from enforcement.
This command exempts resources only from the admission webhook. The resources
are still audited. To instead exempt namespaces from audit, set the
exemption at the policy bundle level instead:
BUNDLE_NAME with the name of the policy bundle
that you want to update with exempted namespaces.
MEMBERSHIP_NAME: the membership name of
the registered cluster to exempt namespaces on. You can specify multiple
memberships separated by a comma.
NAMESPACE_LIST: a comma-separated list of namespaces
that you want Policy Controller to exempt from enforcement.
Namespaces to exempt from enforcement
These are some namespaces which could be created by Google Kubernetes Engine (GKE)
and related products. You may want to exempt them from enforcement to avoid
undesired impact:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["This page describes how to configure exempt namespaces in Policy Controller.\n| **Caution:** Namespace exemption from the admission webhook is possible only on Standard clusters. For Autopilot clusters, you can [define exemptions on the constraint](/kubernetes-engine/enterprise/policy-controller/docs/how-to/creating-policy-controller-constraints#constraint) instead.\n\nExempt namespaces remove a namespace from admission webhook enforcement with\nPolicy Controller, but any violations are still reported in\n[audit](/kubernetes-engine/enterprise/policy-controller/docs/how-to/auditing-constraints). If you don't configure any\nnamespaces, only the `gatekeeper-system` namespace is pre-configured as exempt\nfrom the Policy Controller admission webhook enforcement.\n\nConfigure exempt namespaces\n\nConfiguring an exemptable namespace applies the\n`admission.gatekeeper.sh/ignore` label, which exempts the namespace from Policy Controller\nadmission webhook enforcement. If you later remove an exemptable namespace,\nPolicy Controller does not remove the `admission.gatekeeper.sh/ignore` label\nfrom the namespace.\n\nExempt namespaces from enforcement\n\nYou can exempt namespaces either\n[during Policy Controller installation](/kubernetes-engine/enterprise/policy-controller/docs/how-to/installing-policy-controller#installing),\nor after installation. The following process shows you how to exempt namespaces\nafter installation. \n\nConsole\n\n1. In the Google Cloud console, go to the **Policy** page under the **Posture Management** section.\n\n \u003cbr /\u003e\n\n [Go to Policy](https://console.cloud.google.com/kubernetes/policy_controller)\n2. Under the **Settings** tab, in the cluster table, select **Edit** *edit* in the **Edit configuration** column.\n3. Expand the **Edit Policy Controller configuration** menu.\n4. In the **Exempt namespaces** field, provide a list of valid namespaces. Objects in these namespaces are ignored by all policies. The namespaces don't need to exist yet.\n5. Select **Save changes**.\n\ngcloud\n\nTo add namespaces to the list of namespaces that may be exempted from\nenforcement by the admission webhook, run the following command: \n\n gcloud container fleet policycontroller update \\\n --memberships=\u003cvar translate=\"no\"\u003eMEMBERSHIP_NAME\u003c/var\u003e \\\n --exemptable-namespaces=[\u003cvar translate=\"no\"\u003eNAMESPACE_LIST\u003c/var\u003e]\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eMEMBERSHIP_NAME\u003c/var\u003e: the membership name of the registered cluster to exempt namespaces on. You can specify multiple memberships separated by a comma.\n- \u003cvar translate=\"no\"\u003eNAMESPACE_LIST\u003c/var\u003e: a comma-separated list of namespaces that you want Policy Controller to exempt from enforcement.\n\nThis command exempts resources only from the admission webhook. The resources\nare still audited. To instead exempt namespaces from audit, set the\nexemption at the policy bundle level instead: \n\n gcloud container fleet policycontroller content bundles set \u003cvar translate=\"no\"\u003eBUNDLE_NAME\u003c/var\u003e \\\n --memberships=\u003cvar translate=\"no\"\u003eMEMBERSHIP_NAME\u003c/var\u003e \\\n --exempted-namespaces=[\u003cvar translate=\"no\"\u003eNAMESPACE_LIST\u003c/var\u003e]\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eBUNDLE_NAME\u003c/var\u003e with the name of the policy bundle that you want to update with exempted namespaces.\n- \u003cvar translate=\"no\"\u003eMEMBERSHIP_NAME\u003c/var\u003e: the membership name of the registered cluster to exempt namespaces on. You can specify multiple memberships separated by a comma.\n- \u003cvar translate=\"no\"\u003eNAMESPACE_LIST\u003c/var\u003e: a comma-separated list of namespaces that you want Policy Controller to exempt from enforcement.\n\nNamespaces to exempt from enforcement\n\nThese are some namespaces which could be created by Google Kubernetes Engine (GKE)\nand related products. You may want to exempt them from enforcement to avoid\nundesired impact: \n\n - anthos-creds\n - anthos-identity-service\n - apigee\n - apigee-system\n - asm-system\n - capi-kubeadm-bootstrap-system\n - capi-system\n - cert-manager\n - cnrm-system\n - config-management-monitoring\n - config-management-system\n - gke-connect\n - gke-gmp-system\n - gke-managed-cim\n - gke-managed-filestorecsi\n - gke-managed-metrics-server\n - gke-managed-system\n - gke-system\n - gmp-public\n - gmp-system\n - hnc-system\n - istio-system\n - kube-node-lease\n - kube-public\n - kube-system\n - poco-trial\n - resource-group-system\n - vm-system"]]
