This topic describes how to remove a namespace from admission webhook enforcement with Policy Controller by configuring exemptable namespaces. Any violations will still be reported in audit.
Before you begin
Have Anthos Config Management and Policy Controller in your cluster.
Exemptable namespaces
Configuring an exemptable namespace allows a user to apply the label
admission.gatekeeper.sh/ignore. If you later remove an exemptable namespace,
Policy Controller will not remove the application of this label to
that namespace.
Exempting namespaces from enforcement
To exempt namespaces so you can apply the admission.gatekeeper.sh/ignore
label, you add the namespace's name to the ConfigManagement manifest
in spec.policyController.exemptableNamespaces.
# config-management.yaml
apiVersion: configmanagement.gke.io/v1
kind: ConfigManagement
metadata:
name: config-management
namespace: config-management-system
spec:
# clusterName is required and must be unique among all managed clusters
clusterName: cluster-name
# Set to true to install and enable Policy Controller
policyController:
enabled: true
exemptableNamespaces: ["namespace-name"]
...
You can exempt multiple namespaces. For example, to exempt the namespaces
not-applicable and also-not-applicable in the cluster my-cluster,
you would apply the following manifest:
# config-management.yaml
apiVersion: configmanagement.gke.io/v1
kind: ConfigManagement
metadata:
name: config-management
namespace: config-management-system
spec:
# clusterName is required and must be unique among all managed clusters
clusterName: my-cluster
# Set to true to install and enable Policy Controller
policyController:
enabled: true
exemptableNamespaces: ["not-applicable","also-not-applicable"]
...
Label the namespace
Next, label your namespaces so Anthos Config Management's admission webhook does not enforce their contents.
kubectl label namespace namespace-name "admission.gatekeeper.sh/ignore=true"