gatekeeper icon indicating copy to clipboard operation
gatekeeper copied to clipboard

Published 20 hours ago verified publisher icon open-policy-agent

Excluded namespaces do not appear in inventory

Open skaven81 opened this issue 1 year ago • 3 comments

What steps did you take and what happened:

With a Gatekeeper Config containing something like this:

spec:
  match:
  - excludedNamespaces:
    - kube-system
    - cattle-gatekeeper-system
    processes:
    - '*'
  sync:
    syncOnly:
    - group: ""
      kind: Namespace
      version: v1

Neither kube-system nor cattle-gatekeeper-system appear in the synced inventory.

What did you expect to happen:

I expect sync (which is about the inventory) to be decoupled from the match.excludedNamespaces (which is about Constraint and Mutator evaluation). It is confusing and unintuitive that excluding resources in a namespace from Cosntraint evaluation would also exclude that namespace (and presumably any resources inside) from being enumerated in the Gatekeeper inventory. The inventory should always be complete -- Constraints that depend on the inventory would naturally expect the inventory to contain all the resources in the cluster, not just the ones that are in namespaces where Constraints are allowed to be evaluated.

Workaround:

I have worked around this for now by not using excludedNamespaces at all in the Gatekeeper Config, and instead exclude namespaces using the admission.gatekeeper.sh/ignore=true label on namespaces I want to be excluded. But this doesn't exclude them from audit, so it's not a complete solution.

Environment:

  • Gatekeeper version: 3.13.4
  • Kubernetes version: (use kubectl version): {Major:"1", Minor:"26", GitVersion:"v1.26.8", GitCommit:"395f0a2fdc940aeb9ab88849e8fa4321decbf6e1", GitTreeState:"clean", BuildDate:"2023-08-24T00:43:07Z", GoVersion:"go1.20.7", Compiler:"gc", Platform:"linux/amd64"}

skaven81 avatar Jan 30 '24 20:01 skaven81

Sounds like you want to exclude some namespaces from being evaluated by a given policy but you still want the namespace to be part of the inventory for all policies. Is that right? Can you see if the excludedNamespaces match field helps? https://open-policy-agent.github.io/gatekeeper/website/docs/howto#the-match-field

ritazh avatar Jan 31 '24 15:01 ritazh

I want some namespaces to be entirely exempt from all Gatekeeper constraints and mutators, but not excluded from the inventory.

As I noted in the original report, the workaround is to use the ignore label on the namespace, or (as you note) to have each individual constraint/mutator exclude the namespace(s).

The problem with these approaches, though, is twofold.

First, the fact that the Config resource's excludedNamespaces represents a "master switch" that can disable ALL evaluation for the given namespaces, is very useful, especially in an emergency. But its utility is severely hampered if adding namespaces to the Config resource's excludedNamespaces list has unintended side effects, namely that those namespaces (and presumably resources in those namespaces) are also removed from the inventory.

Second, the Config resource is logically split into multiple sections, which are logically independent of each other -- there is the "exclusion" section (documented here: https://open-policy-agent.github.io/gatekeeper/website/docs/exempt-namespaces/), and then there is the "inventory' section (documented here: https://open-policy-agent.github.io/gatekeeper/website/docs/sync), and finally there is the "debugging" section (documented here: https://open-policy-agent.github.io/gatekeeper/website/docs/debug). The documentation is split into three different sections, so it is natural to think that the configuration settings in each of those sections are independent of each other.

That said, I will walk back my initial statement, as I do see that in https://open-policy-agent.github.io/gatekeeper/website/docs/exempt-namespaces, it does show that processes includes sync, and so it should be possible to selectively exclude namespaces from just validation and/or mutation, without excluding it from sync.

So I suppose my real beef boils down to the fact that the documentation did not make it clear to me (when reading https://open-policy-agent.github.io/gatekeeper/website/docs/sync) that the excludedNamespaces part of the Config also impacts this feature.

skaven81 avatar Jan 31 '24 17:01 skaven81

@skaven81 would you be interested in helping improve this documentation? May be raise a PR?

JaydipGabani avatar Feb 12 '24 18:02 JaydipGabani

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Apr 12 '24 22:04 stale[bot]