Excluding namespaces from Policy Controller's admission webhook

This page describes how to configure exemptable namespaces. Exemptable namespaces remove a namespace from admission webhook enforcement with Policy Controller, but any violations are still reported in audit. If you do not configure any namespaces, only the gatekeeper-system namespace is exempt from enforcement.

Before you begin

To follow the commands on this page, install Policy Controller on your cluster. However, you can also enable exemptable namespaces when you first install Policy Controller.

Configuring exemptable namespaces

Configuring an exemptable namespace lets you apply the label admission.gatekeeper.sh/ignore. If you later remove an exemptable namespace, Policy Controller does not remove the application of this label to that namespace.

Exempting namespaces from enforcement

Before you can apply the admission.gatekeeper.sh/ignore label, you need to add the namespace's name when you are configuring Policy Controller.

Console - Anthos

  1. In the Cloud Console, go to the Anthos Config Management page.

    Go to Anthos Config Management

  2. Select the registered clusters that you want to enable this feature on and click Configure.

  3. Click ACM settings for your clusters.

  4. In the Exempt namespaces field, provide a list of valid namespaces. Objects in these namespaces are ignored by all policies. The namespaces do not need to currently exist.

  5. Click Done.

Console - GKE

  1. In the Cloud Console, go to the Config Management page.

    Go to Config Management

  2. Next to the cluster that you want to enable the feature on, click Edit.

  3. In the left-hand menu, click Policy Controller.

  4. In the Exempt namespaces field, provide a list of valid namespaces. Objects in these namespaces are ignored by all policies. The namespaces do not need to currently exist.

  5. Click Complete.

gcloud

  1. To exempt a namespace from enforcement, add the namespace's name in spec.policyController.exemptableNamespaces:

    # apply-spec.yaml
    
    applySpecVersion: 1
    spec:
      # Set to true to install and enable Policy Controller
      policyController:
        enabled: true
        exemptableNamespaces: ["NAMESPACE_NAME"]
    ...
    

    You can also exempt multiple namespaces. For example, to exempt the namespaces not-applicable and also-not-applicable, you would apply the following manifest:

    # apply-spec.yaml
    
    applySpecVersion: 1
    spec:
      # Set to true to install and enable Policy Controller
      policyController:
        enabled: true
        exemptableNamespaces: ["not-applicable","also-not-applicable"]
    ...
    
  2. Apply the changes to the apply-spec.yaml file:

     gcloud beta container hub config-management apply \
         --membership=MEMBERSHIP_NAME \
         --config=CONFIG_YAML \
         --project=PROJECT_ID
    

    Replace the following:

    • MEMBERSHIP_NAME: add the registered cluster that you want to apply this configuration to. If you registered the cluster in the Google Cloud Console, the membership name is the same as the name of your cluster.
    • CONFIG_YAML: add the path to your apply-spec.yaml file.
    • PROJECT_ID: add your project ID.

Label the namespace

After you have enabled the feature, label your namespaces so Policy Controller's admission webhook does not enforce their contents:

kubectl label namespace NAMESPACE_NAME "admission.gatekeeper.sh/ignore=true"