gatekeeper icon indicating copy to clipboard operation
gatekeeper copied to clipboard
verified publisher icon open-policy-agent

Gatekeeper Does not trigger on run pod

Open lir1ka opened this issue 1 year ago • 5 comments

What steps did you take and what happened: [A clear and concise description of what the bug is.]

I am testing gatekeeper in testing cluster. I block access to gatekeeper pods to check what will happen in this situation.

When i try to create namespace:

Error from server (InternalError): Internal error occurred: failed calling webhook "check-ignore-label.gatekeeper.sh": failed to call webhook: Post "https://gatekeeper-webhook-service.gatekeeper-system.svc:443/v1/admitlabel?timeout=3s": dial tcp 10.112.0.99:8443: i/o timeout

So, it is normal behavior

But when i use command kubectl run pod:

user@vmfordeploy:~/terraform-newlife$   kubectl run nginx --image=nginx
pod/nginx created

Gatekeeper did not block this operation and i created pod without any problems. Why?

What did you expect to happen: Gatekeeper block creation of resource.

Anything else you would like to add: [Miscellaneous information that will assist in solving the issue.]

Environment:

  • Gatekeeper version: 3.16.3
  • Kubernetes version: (use kubectl version): v1.29.1

lir1ka avatar Sep 10 '24 14:09 lir1ka

@lir1ka what you are seeing is expected behavior in kubernetes webhooks, and if Gatekeeper controller deployments are not accessible. Please see https://open-policy-agent.github.io/gatekeeper/website/docs/failing-closed for further information

sozercan avatar Sep 11 '24 17:09 sozercan

@sozercan, hello! I Understood, that it is expected behavior (in situation with inability to create namespace). But still i dont understand why i can create pod

lir1ka avatar Sep 12 '24 08:09 lir1ka

@lir1ka You need to set validatingWebhookFailurePolicy: Fail if using helm, or set failurePolicy: Fail (default is Ignore) for validation.gatekeeper.sh (used for all admission events) webhook - https://github.com/open-policy-agent/gatekeeper/blob/master/deploy/gatekeeper.yaml#L5205 - to deny the creation of pod.

The situation you are facing is caused by, check-ignore-label.gatekeeper.sh webhook (used only for namespace admission events)- https://github.com/open-policy-agent/gatekeeper/blob/master/deploy/gatekeeper.yaml#L5251 with default failurePolicy set to Fail. You can use validatingWebhookCheckIgnoreFailurePolicy helm variable to update failurePolicy for check-ignore-label.gatekeeper.sh webhook.

JaydipGabani avatar Sep 23 '24 23:09 JaydipGabani

The situation you are facing is caused by, check-ignore-label.gatekeeper.sh webhook (used only for namespace admission events)- https://github.com/open-policy-agent/gatekeeper/blob/master/deploy/gatekeeper.yaml#L5251 with default failurePolicy set to Fail. You can use validatingWebhookCheckIgnoreFailurePolicy helm variable to update failurePolicy for check-ignore-label.gatekeeper.sh webhook.

@JaydipGabani, Hello! Thank you for your answer. Overall, could you please describe, what check-ignore-label.gatekeeper.sh do? and what is ignore-label?

lir1ka avatar Sep 24 '24 12:09 lir1ka

@lir1ka This webhook validates namespaces to make sure "only allowed namespaces are using admission.gatekeeper.sh/ignore label label to prevent Gatekeeper validation webhook from being called by api-server for respective namespace". Here is some more information on the same. For more information/context - here is the pr - https://github.com/open-policy-agent/gatekeeper/pull/350

JaydipGabani avatar Sep 24 '24 22:09 JaydipGabani

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Nov 30 '24 16:11 stale[bot]