Exempting Namespaces from Gatekeeper using config resource
The config resource can be used as follows to exclude namespaces from certain processes for all constraints in the cluster. To exclude namespaces at a constraint level, use
excludedNamespaces in the constraint instead.
- excludedNamespaces: ["kube-system", "gatekeeper-system"]
- excludedNamespaces: ["audit-excluded-ns"]
- excludedNamespaces: ["audit-webhook-sync-excluded-ns"]
processes: ["audit", "webhook", "sync"]
- excludedNamespaces: ["mutation-excluded-ns"]
auditprocess exclusion will exclude resources from specified namespace(s) in audit results.
webhookprocess exclusion will exclude resources from specified namespace(s) from the admission webhook.
syncprocess exclusion will exclude resources from specified namespace(s) from being synced into OPA.
mutation-webhookprocess exclusion will exclude resources from specified namespace(s) from the mutation webhook.
*includes all current processes above and includes any future processes.
Exempting Namespaces from the Gatekeeper Admission Webhook using
Note that the following only exempts resources from the admission webhook. They will still be audited. Editing individual constraints or config resource is necessary to exclude them from audit.
If it becomes necessary to exempt a namespace from Gatekeeper webhook entirely (e.g. you want
kube-system to bypass admission checks), here's how to do it:
Make sure the validating admission webhook configuration for Gatekeeper has the following namespace selector:
- key: admission.gatekeeper.sh/ignore
the default Gatekeeper manifest should already have added this. The default name for the webhook configuration is
gatekeeper-validating-webhook-configurationand the default name for the webhook that needs the namespace selector is
Tell Gatekeeper it's okay for the namespace to be ignored by adding a flag to the pod:
--exempt-namespace=<NAMESPACE NAME>. This step is necessary because otherwise the permission to modify a namespace would be equivalent to the permission to exempt everything in that namespace from policy checks. This way a user must explicitly have permissions to configure the Gatekeeper pod before they can add exemptions.
admission.gatekeeper.sh/ignorelabel to the namespace. The value attached to the label is ignored, so it can be used to annotate the reason for the exemption.