Skip to main content

Cloud and Vendor Specific Fixes

Running on private GKE Cluster nodes#

By default, firewall rules restrict the cluster master communication to nodes only on ports 443 (HTTPS) and 10250 (kubelet). Although Gatekeeper exposes its service on port 443, GKE by default enables --enable-aggregator-routing option, which makes the master to bypass the service and communicate straight to the POD on port 8443.

Two ways of working around this:

  • create a new firewall rule from master to private nodes to open port 8443 (or any other custom port)

  • make the pod to run on privileged port 443 (need to run pod as root)

    • update Gatekeeper deployment manifest spec:

      • remove securityContext settings that force the pods not to run as root
      • update port from 8443 to 443
      containers:- args:  - --port=443  ports:  - containerPort: 443    name: webhook-server    protocol: TCP
    • update Gatekeeper service manifest spec:

      • update targetPort from 8443 to 443
      ports:- port: 443  targetPort: 443

Running on OpenShift 4.x#

When running on OpenShift, the nouid scc must be used to keep a restricted profile but being able to set the UserID.

In order to use it, the following section must be added to the gatekeeper-manager-role Role:

- apiGroups:  - security.openshift.io  resourceNames:    - anyuid  resources:    - securitycontextconstraints  verbs:    - use

With this restricted profile, it won't be possible to set the container.seccomp.security.alpha.kubernetes.io/manager: runtime/default annotation. On the other hand, given the limited amount of privileges provided by the anyuid scc, the annotation can be removed.