Exclude namespaces from Policy Controller

This page describes how to configure exempt namespaces in Policy Controller.

Exempt namespaces remove a namespace from admission webhook enforcement with Policy Controller, but any violations are still reported in audit. If you don't configure any namespaces, only the gatekeeper-system namespace is pre-configured as exempt from the Policy Controller admission webhook enforcement.

Configure exempt namespaces

Configuring an exemptable namespace lets you apply the admission.gatekeeper.sh/ignore label to exempt the namespace from Policy Controller admission webhook enforcement. If you later remove an exemptable namespace, Policy Controller does not remove the admission.gatekeeper.sh/ignore label from the namespace.

Exempt namespaces from enforcement

You can exempt namespaces either during Policy Controller installation, or after installation. The following process shows you how to exempt namespaces after installation.

Console

  1. In the Google Cloud console, go to the GKE Enterprise Policy page under the Posture Management section.

    Go to Policy

  2. Under the Settings tab, in the cluster table, select Edit in the Edit configuration column.
  3. Expand the Edit Policy Controller configuration menu.
  4. In the Exempt namespaces field, provide a list of valid namespaces. Objects in these namespaces are ignored by all policies. The namespaces don't need to exist yet.
  5. Select Save changes.

gcloud Policy Controller

To add namespaces to the list of namespaces that may be exempted from enforcement by the admission webhook, run the following command:

  gcloud container fleet policycontroller update \
    --memberships=MEMBERSHIP_NAME \
    --exemptable-namespaces=[NAMESPACE_LIST]

Replace the following:

  • MEMBERSHIP_NAME: the membership name of the registered cluster to exempt namespaces on. You can specify multiple memberships separated by a comma.
  • NAMESPACE_LIST: a comma-separated list of namespaces that you want Policy Controller to exempt from enforcement.

This command exempts resources only from the admission webhook. The resources are still audited. To instead exempt namespaces from audit, set the exemption at the policy bundle level instead:

  gcloud container fleet policycontroller content bundles set BUNDLE_NAME \
    --memberships=MEMBERSHIP_NAME \
    --exempted-namespaces=[NAMESPACE_LIST]

Replace the following:

  • BUNDLE_NAME with the name of the policy bundle that you want to update with exempted namespaces.
  • MEMBERSHIP_NAME: the membership name of the registered cluster to exempt namespaces on. You can specify multiple memberships separated by a comma.
  • NAMESPACE_LIST: a comma-separated list of namespaces that you want Policy Controller to exempt from enforcement.

gcloud ConfigManagement

  1. To exempt a namespace from enforcement, add the namespace's name in spec.policyController.exemptableNamespaces:

    # apply-spec.yaml
    
    applySpecVersion: 1
    spec:
      # Set to true to install and enable Policy Controller
      policyController:
        enabled: true
        exemptableNamespaces: ["NAMESPACE_NAME"]
    ...
    

    Replace NAMESPACE_NAME with the name of the namespace that you want to exempt from enforcement.

    You can also exempt multiple namespaces. For example, to add the namespaces not-applicable and also-not-applicable, you would apply the following manifest:

    # apply-spec.yaml
    
    applySpecVersion: 1
    spec:
      # Set to true to install and enable Policy Controller
      policyController:
        enabled: true
        exemptableNamespaces: ["not-applicable","also-not-applicable"]
    ...
    
  2. Apply the changes to the apply-spec.yaml file:

     gcloud beta container fleet config-management apply \
         --membership=MEMBERSHIP_NAME \
         --config=CONFIG_YAML \
         --project=PROJECT_ID
    

    Replace the following:

    • MEMBERSHIP_NAME: add the registered cluster that you want to apply this configuration to. If you registered the cluster in the Google Cloud console, the membership name is the same as the name of your cluster.
    • CONFIG_YAML: add the path to your apply-spec.yaml file.
    • PROJECT_ID: add your project ID.
  3. Label your exemptable namespace so Policy Controller's admission webhook does not enforce their contents:

    kubectl label namespace NAMESPACE_NAME "admission.gatekeeper.sh/ignore=true"
    

    Replace NAMESPACE_NAME with the name of the namespace that you want to exempt from enforcement.

Namespaces to exempt from enforcement

These are some namespaces which could be created by Google Kubernetes Engine (GKE) and related products. You may want to exempt them from enforcement to avoid undesired impact:

- anthos-creds
- anthos-identity-service
- apigee
- apigee-system
- asm-system
- capi-kubeadm-bootstrap-system
- capi-system
- cert-manager
- cnrm-system
- config-management-monitoring
- config-management-system
- gke-connect
- gke-gmp-system
- gke-managed-cim
- gke-managed-filestorecsi
- gke-managed-metrics-server
- gke-managed-system
- gke-system
- gmp-public
- gmp-system
- hnc-system
- istio-system
- kube-node-lease
- kube-public
- kube-system
- poco-trial
- resource-group-system
- vm-system