Exclude namespaces from Policy Controller

This page describes how to configure exempt namespaces in Policy Controller.

Exempt namespaces remove a namespace from admission webhook enforcement with Policy Controller, but any violations are still reported in audit. If you don't configure any namespaces, only the gatekeeper-system namespace is pre-configured as exempt from the Policy Controller admission webhook enforcement.

Configure exempt namespaces

Configuring an exemptable namespace lets you apply the admission.gatekeeper.sh/ignore label to exempt the namespace from Policy Controller admission webhook enforcement. If you later remove an exemptable namespace, Policy Controller does not remove the admission.gatekeeper.sh/ignore label from the namespace.

Exempt namespaces from enforcement

You can exempt namespaces either during Policy Controller installation, or after installation. The following process shows you how to exempt namespaces after installation.

Console

  1. In the Google Cloud console, go to the GKE Enterprise Policy page under the Posture Management section.

    Go to Policy

  2. Under the Settings tab, in the cluster table, select Edit in the Edit configuration column.
  3. Expand the Edit Policy Controller configuration menu.
  4. In the Exempt namespaces field, provide a list of valid namespaces. Objects in these namespaces are ignored by all policies. The namespaces don't need to exist yet.
  5. Select Save changes.

gcloud

To add namespaces to the list of namespaces that may be exempted from enforcement by the admission webhook, run the following command:

  gcloud container fleet policycontroller update \
    --memberships=MEMBERSHIP_NAME \
    --exemptable-namespaces=[NAMESPACE_LIST]

Replace the following:

  • MEMBERSHIP_NAME: the membership name of the registered cluster to exempt namespaces on. You can specify multiple memberships separated by a comma.
  • NAMESPACE_LIST: a comma-separated list of namespaces that you want Policy Controller to exempt from enforcement.

This command exempts resources only from the admission webhook. The resources are still audited. To instead exempt namespaces from audit, set the exemption at the policy bundle level instead:

  gcloud container fleet policycontroller content bundles set BUNDLE_NAME \
    --memberships=MEMBERSHIP_NAME \
    --exempted-namespaces=[NAMESPACE_LIST]

Replace the following:

  • BUNDLE_NAME with the name of the policy bundle that you want to update with exempted namespaces.
  • MEMBERSHIP_NAME: the membership name of the registered cluster to exempt namespaces on. You can specify multiple memberships separated by a comma.
  • NAMESPACE_LIST: a comma-separated list of namespaces that you want Policy Controller to exempt from enforcement.

Namespaces to exempt from enforcement

These are some namespaces which could be created by Google Kubernetes Engine (GKE) and related products. You may want to exempt them from enforcement to avoid undesired impact:

- anthos-creds
- anthos-identity-service
- apigee
- apigee-system
- asm-system
- capi-kubeadm-bootstrap-system
- capi-system
- cert-manager
- cnrm-system
- config-management-monitoring
- config-management-system
- gke-connect
- gke-gmp-system
- gke-managed-cim
- gke-managed-filestorecsi
- gke-managed-metrics-server
- gke-managed-system
- gke-system
- gmp-public
- gmp-system
- hnc-system
- istio-system
- kube-node-lease
- kube-public
- kube-system
- poco-trial
- resource-group-system
- vm-system