This page describes how to configure exempt namespaces in Policy Controller.
Exempt namespaces remove a namespace from admission webhook enforcement with
Policy Controller, but any violations are still reported in audit
. If you don't configure any
namespaces, only the gatekeeper-system
namespace is pre-configured as exempt
from the Policy Controller admission webhook enforcement.
Configure exempt namespaces
Configuring an exemptable namespace applies the admission.gatekeeper.sh/ignore
label, which exempts the namespace from Policy Controller
admission webhook enforcement. If you later remove an exemptable namespace,
Policy Controller does not remove the admission.gatekeeper.sh/ignore
label
from the namespace.
Exempt namespaces from enforcement
You can exempt namespaces either during Policy Controller installation , or after installation. The following process shows you how to exempt namespaces after installation.
Console
- In the Google Cloud console, go to the Policy page under the Posture Management section.
- Under the Settingstab, in the cluster table, select Edit edit in the Edit configurationcolumn.
- Expand the Edit Policy Controller configurationmenu.
- In the Exempt namespacesfield, provide a list of valid namespaces. Objects in these namespaces are ignored by all policies. The namespaces don't need to exist yet.
- Select Save changes.
gcloud
To add namespaces to the list of namespaces that may be exempted from enforcement by the admission webhook, run the following command:
gcloud
container
fleet
policycontroller
update
\
--memberships =
MEMBERSHIP_NAME
\
--exemptable-namespaces =
NAMESPACE_LIST
Replace the following:
-
MEMBERSHIP_NAME: the membership name of the registered cluster to exempt namespaces on. You can specify multiple memberships separated by a comma. -
NAMESPACE_LIST: a comma-separated list of namespaces that you want Policy Controller to exempt from enforcement.
This command exempts resources only from the admission webhook. The resources are still audited. To instead exempt namespaces from audit, set the exemption at the policy bundle level instead:
gcloud
container
fleet
policycontroller
content
bundles
set
BUNDLE_NAME
\
--memberships =
MEMBERSHIP_NAME
\
--exempted-namespaces =
NAMESPACE_LIST
Replace the following:
-
BUNDLE_NAMEwith the name of the policy bundle that you want to update with exempted namespaces. -
MEMBERSHIP_NAME: the membership name of the registered cluster to exempt namespaces on. You can specify multiple memberships separated by a comma. -
NAMESPACE_LIST: a comma-separated list of namespaces that you want Policy Controller to exempt from enforcement.
Namespaces to exempt from enforcement
The following list shows common system namespaces that you might want to exempt from enforcement to avoid unintended behavior like blocking upgrades. This list is not exhaustive:
-
anthos-creds
-
anthos-identity-service
-
apigee
-
apigee-system
-
asm-system
-
capi-kubeadm-bootstrap-system
-
capi-system
-
cert-manager
-
cnrm-system
-
config-management-monitoring
-
config-management-system
-
gke-connect
-
gke-gmp-system
-
gke-managed-cim
-
gke-managed-filestorecsi
-
gke-managed-metrics-server
-
gke-managed-system
-
gke-system
-
gmp-public
-
gmp-system
-
hnc-system
-
istio-system
-
kube-node-lease
-
kube-public
-
kube-system
-
poco-trial
-
resource-group-system
-
vm-system
-
krmapihosting-system
-
krmapihosting-monitoring
